Rossander’s Security Reader

Metadata is getting a lot of press lately, especially among companies that are wrestling with the new electronic discovery standards issued by the US Supreme Court. But what is it really?

Technically, metadata is data about other data. If the customer’s address is data, the number of entries in your address book is metadata. If the body of a Word document is data, the date you last opened the file is metadata. If the values in an Excel spreadsheet are data, the formulas in each cell are metadata.

From a legal point of view, metadata is everything about the document that’s not immediately visible when the document is printed. It includes all the MS Office "properties" like file size, author and character count. It also includes any hidden features such as the old versions that are still buried in the document when you leave the Track Changes option on. It includes formulae in spreadsheets and formatting commands like the print area.

For most normal uses, the metadata about a document is just background. We take it for granted and almost always ignore it. But if your metadata reveals facts that you wanted to keep private, it can be embarrassing and expensive. In one case, a major pharmaceutical company deleted some study data from a report – and got caught when the New England Journal of Medicine looked in the Tracked Changes to show the deleted comments. In another case, a confidential White House policy paper about Iraq was outed when a quick command revealed the report’s author. In yet another case, officials covered up classified information with black bars, not realizing that readers could easily uncover the text by copying it from under the black and pasting it elsewhere.

When you get into a legal situation, metadata becomes even more important. Metadata is used to show “who knew it and when they knew it” – to provide the context around the document in question. Metadata can either clear you or convict you. Because of its importance, metadata must be preserved and unaltered when you are collecting documents that will be used in court. This is hard because routine Windows operations will change the metadata just by opening the file. Make sure that you have the tools you need to keep metadata intact before you get into the lawsuit.

And, of course, be very careful before you post a document publicly. Make sure you clean out the metadata that you don’t want public.

How secure are you from identity theft? For all that we are (and ought to be) worried about hackers and other threats to our electronic information, researchers estimate that 55% of all cases of identity theft are based on information from paper. Could someone find credit card numbers, bank account numbers or social security numbers in your trash?

Garbage left at curbside is considered to be in the public domain. That means it’s not illegal for someone to take items out of your trash. And don’t think that someone won’t go through it just because it’s mixed in with the dirty diapers. In many municipalities, all the waste is opened and manually sorted as part of the area’s recycling program. In Medina County, for example, your trash is touched by about 20 people between the time you put it in your trash can and it ends at the bottom of the landfill. Your credit card statement is a great temptation.

Home-quality shredders are available for as low as $40. If you don’t yet have a shredder at home, you need one. We all need to be concerned with how much of our information can be accessed from our mail, including our credit card and bank statements, and any other piece of mail that may provide confidential information. Anything that has your name, address, phone number or any kind of account number on it should be shredded before discarding. Credit cards should be destroyed by cutting the card across the number.

There are two basic kinds of shredders: strip-cut and cross-cut. Most of the cheaper shredders are strip-cut. They cut the pages into strips between 1/8 and 1/4 inches wide. Cross-cut shredders (also called "confetti-cut") will chop the strips into smaller pieces, and thus provide much greater protection. The other factors commonly used to compare shredders are durability and capacity (how many pages can it shred at a time without jamming).

Note: Keep the shredder unplugged or locked away when young children are around.

This Tip was first run in October 2006. This "encore tip" is a reminder to be professional in email.

Halloween is a time for scary stories – tales of vampires and ghouls rising from the dead to terrify innocents – a time when things that you thought were dead and buried come back to haunt you.

Unfortunately, the analogy between badly written email and the undead is sometimes all too appropriate. A hasty word can return to haunt you long after you hit the send button and thought the conversation was over. Careers have been destroyed, money lost and relationships ruined when an email returned from beyond.

Americans have a bad habit of treating email very casually – as an extension of our last phone conversation or a continuation of the chat in the hallway. We assume that the message is private and that recipient will understand the context and correctly interpret our tone.

In fact, email is more like a postcard – anyone can read it while it’s in transit and any of the recipients can save it, forward it or post it to the internet. Electronic copies can remain in archives and electronic message hubs all over the Internet – places that neither the sender nor the recipient can control. Emails can be subpoenaed and forced into the public record. You have no right of privacy in your email, either sent or received. When you write an email, you must assume that it will be read by an unknown and unforeseen audience.

That unknown audience will assume that you carefully crafted and wordsmithed your message (or, if not, that the hurried email is evidence of the writer’s “real state of mind”). They will not believe that you were “just joking” and won’t care that you were trying to dash off a quick note. They will interpret the tone according to their own preconceptions.

Always assume that anything you write will come out at the worst possible time and in the worst possible light. Be professional in your email. Include enough context that the unforeseen reader understands the message. Be personable yet professional in tone. (In particular, never use sarcasm in email.) Never write anything that you would be embarrassed to see on the front page of tomorrow’s newspaper.

Remember, email can come back to haunt you.

Whether you use shared folders or keep files on your personal drive, eventually others in your organization will need to find some of the files that you’ve created or saved. Electronic searches help some but it’s still important to file your ad-hoc documents carefully if you ever hope to find them again. In order to help the rest of your team members (especially future team members) understand your new filing system, I strongly recommend creating a very small file in each folder describing the:

• purpose of the folder
• owner of the folder
• intended audience and users of the folder – who should and should not have access
• retention period – how long should we generally keep the documents in the folder^†

If you name the file _readme.txt, the underline will cause the file to sort itself to the top of the list where everyone can find it. Here’s an example of one I created to describe the folder where I hold my InfoSec Tips drafts. _readme.txt

^† When deciding on the appropriate retention period, refer to your organizational Retention Policy for guidance. And remember that “forever” is technically possible but outrageously expensive for electronic documents. Westfield is 159 years old. If they say that a document should be kept “forever”, they are handing their IT department a blank check to spend whatever it takes to make sure that the document will still be here in another 159 years. There aren’t very many documents with that kind of business need. Make your best estimate of the realistic business need for the documents in the folder. Also remember that saying you want to keep a document for 12 months does not mean that it will be automatically deleted. You (or someone in your organization) will still have to clean out the folder when the documents are no longer necessary.

Under Federal Trade Commission regulation, any information about an individual that is derived from a consumer report or is a compilation of such records must be properly destroyed. These days, almost all of customer information has some connection to a consumer report and is covered under this regulation (scroll to pg 32).

The regulation does not actually require shredding but for most of us, that is the only cost-effective way to comply with the regulation’s requirements for destruction. Papers in regular trash are exposed to the public and any private information on those papers can be misused by an identity thief. It can cost your customers thousands of dollars to get their identity back and could be considered a violation of federal privacy laws.

I strongly recommend a "shred all paper" policy for your office because there is too much risk that a piece of personal information will be overlooked on the back side of a form or that the page was used for scratch paper while you were on the phone. It’s also easier to enforce the policy when you have a simple rule like "No office paper may be thrown away in the regular trash."

Very small offices can get away with a personal shredder. If you’ve got more than about 10 or 15 people in the office, it’s probably more cost-effective to contract with a reputable shredding vendor who will pick up and properly dispose of your paper waste. Most of the shredding vendors will provide locked bins where the paper waste can be stored until pickup. Have enough bins to be convenient for staff.