A lot of buzz has been generated recently as a result of charges and allegations against LIGATT Security and Gregory Evans. A recent article from The Register lists the major complaints.

I don’t have any first-hand experience with or knowledge of LIGATT or Gregory Evans. However I find this whole discussion interesting, and it raises a question for me.

What role does integrity play in the personal and professional life of an information security professional?

One of my professors at Dallas Theological Seminary once defined integrity as “doing what’s right even though no one is watching.” That has worked well for me.

I see these components of integrity at play in the LIGATT situation:

• Permission – Evans is accused of plagiarism in a recent book. Multiple authors claim that he used their material without permission. A significant part of integrity, then is using other people’s work only with their express permission. It doesn’t matter if that work is written, or just ideas. You can’t take what you know is the work of someone else and use it with the claim that it is yours.

• Honesty – Evans is also accused of falsifying or mis-representing his time in prison and his relationship with Kevin Mitnick. If someone cannot be trusted to tell the truth about their life, then how can you count on them to honestly present facts and finding from their work. Many times we are put in positions where we have access to confidential information. We must be honest in all of our dealings.

• Disclosure – The temptation exists to withhold certain information, at times, in an effort to bolster a certain position. Negotiations with vendors or unions often rely on this ploy. Sometimes, we are tempted to withhold information from the boss, because the full disclosure might make us look bad. There may sometimes be legitimate reasons for not disclosing all information. Make sure that the reasons for this are legitimate, and not simply to make yourself look good.

Like I said at the start, I don’t know Gregory Evans, nor do I have any experience with LIGATT. But, we all can learn some lessons from the recent flurry.

Let’s do our jobs with integrity, ok?

- Dan

President Ronald Reagan said, “Trust, but verify.” I used to hold fast to that, but recently have learned that you cannot, nor should you, always verify.

Trust is a critical foundational element of life, government and information security.

Things would be different if trust was non-existant…

• Husbands and wives would always be paranoid.
• Negotiations between teachers and school boards would always go to impasse.
• You wouldn’t have any confidence in your antivirus or IDS system.

Right now, you’re probably saying that is the way things already are. To some extent you are right.

Distrust between two parties is as natural as entropy.

But, consider some of the ways that you do trust.

• You trust that the gas pump gives you what you pay for and that the meter is accurate.
• You trust that the government who puts the accreditation sticker on the gas pump has actually tested it.
• You trust that the person testing the gas pump knows how to accurately test it.
• You trust that the magnetic card reader for swiping your credit or debit card is not skimming that information.

Of course, there are many more examples.

• You trust Google to not share information about your searches, or the contents of your GMail account.
• You trust the security that your bank uses for your on-lne banking.
• You trust the validity of the certificates that are checked when accessing secure web sites.

Our society is built upon the expectation of trust. Sometimes people and organizations successfully show that they can be trusted. Othertimes, not.

Back to President Reagan…

There are times when I trust, but verify.

However, there are many more times when I trust, but either choose to not verify, or the risk is so low that it makes to sense to take the time to verify.

Carefully consider which times verification is important. It just might save the day for you sometime.

- Dan