Sarbanes Oxley, ISO 27002, GLBA - what do they all have in common? Yes, each contain, at least in part, an information security standard or regulation. From an applicability perspective with respect to business size, relatively few small or medium size businesses are directly mandated to conform to these or other standards and regulations. Even though it is the upper end of the medium size business and large business throughout, which are affected by mandated standards, the smaller companies are still being affected by a trickle down movement.

The trickle down effect was originally coined as a marketing term to describe the availability of consumer goods among socioeconomic classes. As new, highly desired, products were put in the market, their initial high price tag meant only those with discretionary cash could afford it. Eventually, overtime the product becomes more penetrated into all markets as the price drops. Thus trickling down to its full market reach. Those familiar with Reagonomics will find the term "Trickle-down economics" one of common rhetoric - providing more working capital to the top tier businesses trickles cash down to the lower working class. Many other trickle down models have been explored; one, which seems to be in play today, is that of information security.

The typical profile of an nCircle customer is one of a multinational, global enterprise as well as local, state and federal government agencies. These are the entities for which regulation like SOX, FISMA and GLBA are targeted. It's also the same subset, which employ standards such as COBIT and ISO 27002. Each of our customers has lengthy contractual security agreements that each of their vendors must adhere to. These in turn, have been driven by their required regulations and standards. nCircle likewise returns the effort by ensuring its vendors employ meaningful security measures. The outcome is a security trickle down affect.

Selling to these enterprise and federal organizations have altered the way my team addresses security at nCircle. While our strategic and tactical methods for controlling risk met every stipulated requirement, we lacked organized and fresh documentation. Today, our policies, procedures and records are much better kept. We have an official InfoSec team, executive approved SLAs and up-to-date standard procedural documentation.

What's more interesting are the ways in which our customer's requirements influence nCircle's vendors. Any potential vendor to nCircle must disclose their information security practices to us. We take a graduated approach depending on what information the vendor may have access to. Depending on what risk the vendor might pose to us, and likewise to our customers, the third company must answer anywhere between 20 and 100 questions before they are evaluated by the InfoSec team. We are proud to see these vendors step up their own information security practices to meet our requirements.

While it might be hard sometimes to look beyond the security breaches of Fortune 500 companies and federal agencies to see that security is moving in a positive direction, the same is still said of the Reaganomics era. The actions of our customers, of nCircle and of our vendors when it comes to driving information security can, by some degree, be attributed to a trickle down effect. There is no doubt in my mind that a handful of our vendors would be left behind if it weren't for them wanting nCircle's business. The technical tools, policies and procedures that a company uses to reduce risk is still a valid competitive value add. Security is getting better and one driving factor is that of a trickle down effect.

(This is part of a regular series where I discuss free information security products, tools, methodologies, hardware, etc. For a description of this column and to read other Free Lunch menus, check out the category archive)

The onslaught of bots and spammers gave birth to a new tool to differentiate human from android. Alan Turing would be proud to see just how much technology we have devised. One such technology is that of the CAPTCHA - it's the text and numbers graphic we need to input in order to sign up for a service or make a comment at a blog. ReCAPTCHA takes this technology to solve more than one problem.

On May 24th 2007, Carnegie Mellon announced a new method to improve its methods of transforming written text into its digitized form. ReCAPTCHA's motto "Stop Spam. Read Books", describes it best. The idea is simple and elegant. Using the familiar CAPTCHA system, it presents the user both a known and unknown CAPTCHA graphic. The user, not knowing which is which, enters the text for both. If the user correctly solves the CAPTCHA then the CMU system gives a high probability to the letters in the unknown picture. While digital scanners and OCR have advanced, there are still cases where humans are needed to translate graphics into text. ReCAPTCHA is one method to solve this problem.

Besides helping out the CMU book digitization project, ReCAPTCHA has a unique technical upside - nothing is stored on your server. Many of the existing CAPTCHA systems require a server-side process to generate and store graphics. Instead ReCAPTCHA uses a public/private key system with client-server architecture to track challenges and tokens.

Product Rating

Features:
Ease of Use:
Documentation:
Community:
Overall:

Overall, ReCAPTCHA is an interesting implementation of CAPTCHA systems. While its use may not be directly apparent in your security architecture, consider using it anywhere you want to increase the likelihood of there being a human at the other side of the conversation. nCircle recently implemented ReCAPTCHA on our blog and I'd recommend others to do the same.
Enjoy the free lunch.

Additional Resources

What is CAPTCHA how does ReCAPTCHA work

ReCAPTCHA API documentation

ReCAPTCHA and CMU Press Release