Security breach = malpractice?

The FAA had a security breach of non-air traffic control systems that resulted in loss of confidential employee info.

http://www.newsweek.com/id/184051

*Official statement from the FAA:  http://www.faa.gov/news/press_releases/news_story.cfm?newsId=10394

Some interesting points

-The end of the article implies (without proving) that this was the second breach of this same FAA network and nothing was done the first time.

-Some of the data stolen was encrypted employee medical information. (*I'm wondering why the FAA would need to store medical records, is this common in non Health organizations? Is this data covered by the same standards as health information technology?)

But the reason I wanted to post this was the following sentence: 

"Our information technology systems people need to take a long hard look at themselves and their capabilities. This is malpractice in their world." -Tom Waters president of American Federation of State, County and Municipal Employees Local 3290

So the questions here are; 

Is there such a thing as IT malpractice? Is a security breach indicative of IT malpractice? Are multiple breaches proof of malpractice? Let's take these on one by one:

-Is there such a thing as IT malpractice?

malpractice - Mistakes or negligent conduct by a professional person, especially a physician, that results in damage to others, such as misdiagnosis of a serious illness. Damaged parties often seek compensation by bringing malpractice suits against the offending physician or other professional.

I think the key part of the definition here is "professional". While IT as an industry has all of the challenge of any other "professional" industry we do not have a central body to certify professionals. By that I mean that while there are various vendor and organizational certifications we do not have a formal licensing body. So i don't believe we meet the legal definition of professionals which means that we are incapable of malpractice.

-Is a security breach indicative of IT malpractice?

delinquency - Failure in or neglect of duty or obligation; dereliction; default:delinquency in payment of dues. 

Based on the above, lets substitute the word delinquency for malpractice. Here I think it depends on the specifics of the incident itself. If you maintained good security best practices then you were probably not delinquent. If you did not (Leaving the default/easy/no password on your firewalls and routers. Not maintaining audit trails. Not restricting access rights to the minimum necessary.) then I would call that delinquent. If the IT department was delinquent it should certainly be held accountable, but we do not have enough information here to indicate that.

-Are multiple breaches proof of malpractice(delinquency)?

Proof? Probably not. But it is certainly indicative. Any security breach should be followed by a post-mortem investigation and response. Two security incidents using the same attack vector over a period of time would seem to suggest that the post-mortem was not done or wasn't done well and would be a reflection on the IT team.

malpractice. (n.d.). The American Heritage® New Dictionary of Cultural Literacy, Third Edition. Retrieved February 10, 2009, from Dictionary.com website:http://dictionary.reference.com/browse/malpractice

delinquency. (n.d.). Dictionary.com Unabridged (v 1.1). Retrieved February 10, 2009, from Dictionary.com website: http://dictionary.reference.com/browse/delinquency

Lesson Learned: MS Terminal Services - Volatile Memory

Had an interesting issue with Microsoft terminal services the other day.  I'm still wrapping my head around this so there may be some inaccuracies here, i'll do my best to correct them as I find them.  Apparently environment variables are stored in "volatile memory" which can cause problems in applications that use common logins and environment variables.

Specifically, we have a single service account that is used by several thin client devices.  The account logs in to the terminal server automatically and launches an application.  (The application itself requires a login so our security exposure is tolerable.)  As the application is launched the %clientname% environment variable is read and sent to the application so that workstation specific workflows can be configured.

Now the interesting part.  When 2 or more thin clients log in within 1 second of each other, they can "steal" each others name.  This was tied back to the %clientname% environment variable changing in between the initial login and when %clientname% is sent to the application.  It seems when the second thin client logs in as the first is launching the application the second is overwriting the environment variables (all within the same user profile because a shared service account is used) resulting in the second thin clients name being used for both.  So...  Environment variables are user specific not session specific.

Work arounds:

1)  Configure different service accounts for each workstation/client.

2)  Require end users to log in with their own credentials rather than using a service account.

3)  Use non-volatile session specific variables in the WMI instead of environment variables.

What is a CTO?

Recently I was asked what good qualities in a CTO are...  Following is the somewhat over stated answer I came up with.  Interestingly enough when I was offered my CTO job I looked for job descriptions and didn't have much luck.  I went into the job knowing I would have to wing it until I figured out how the relationship would work.  Maybe this will make it just a tad easier for the next up and coming CTO.

Well it's a tougher question than you may think but i'll give it a go. I think most of this is developed between the CIO and CTO, they figure out their own boundaries and cover for each other with some specific differences. 

I like to think of the relationship in terms of a restaurant. The restaurant manager (CIO) is the public face of the department. (S)He makes sure the customer is happy, they've gotten what they expected in a timely manor and that the back is delivering. The head chef (CTO) is responsible for the back of the house. (S)He makes sure all the specific components are in the food, the food is fully cooked and safe and that there is consistency across meals. To step away from the analogy, the CIO is responsible for politics and departmental direction. The CTO is responsible for the technical direction and vision. Both roles cross over though. A CTO should be able to step into an IT political travesty and bring it back under control and a CIO should be able to determine if an architecture diagram is flawed. 

The big difference is vision versus direction. The CIO should be watching technology as it is today. The CTO should be watching (or creating) technology as it will become. 

All that said, what are the qualities of a good CTO? 

-STRONG ability to talk about technology at the executive level in a non-technical way 
-Solid political (be it internal, vendor, partner or client) understanding and empathy 
-Solid project management 
-Understanding of business goals and challenges 
-Ability to be flexible as things change 
-Established IT leadership both in the trenches and as a manager 
-Ability to make quick correct decisions and take control in an emergency/disaster 
-Passion for your employees and desire to see their careers grow (Mentor) 
-Obsessive compulsive need to stay on top of the latest technology trends and offerings 
-Willingness to work well over 40 hours a week 
-Last but not least... A solid understanding of technology across IT specializations. You will be the one keeping IT directors in check so you will need to know networking, server administration, development, project management, help desk operations, database management, etc... at a specialists level. Well enough to know when someone is trying to pull the wool over your eyes. If you don't feel that you could step in and cover for any of your directors in an emergency you are probably not qualified to be a CTO (yet). 

I'd be interested to see what some of the other CTO's out there have to say about this. Like i said, every CTO/CIO relationship is different so i expect there would be some variance from my comments. 

Hope that helps!