March 31st, 2015

Raj_Goel_headshot (1)

The IT Support/MSP game has changed.  Clients are no longer satisfied with just getting their desktops managed and servers supported.

Almost every industry has customer privacy and security compliance regulations – and clients are looking at us, their IT providers and business confidantes, to help them become and remain compliant.

So what do you need to know about compliance?

First – determine what industry or vertical you will tackle, then dive into it.

In my experience, clients do not want a generalist firm that says we provide HIPAA/HITECH/PCI-DSS/Sarbanes-Oxley/GLBA/SEC Cybersecurity /  [insert acronym here] compliance. More and more, savvy buyers want MSPs that focus on their vertical.

If you’re tackling healthcare, you must deep-dive into HIPAA/HITECH, FTC Health Breach, State Records Retention, SEC Cybersecurity guidance and State Privacy Laws.  If medium-to-large retailers ($10M-$4B) are your targets, then a thorough understanding of PCI-DSS and State Privacy Breach Laws is required.  If banking and finance is your focus, then GLBA, SOX-404, State Privacy Breach, FINRA regulations, PATRIOT ACT and FFIEC compliance knowledge is a must.

Underpinning all these regulations, standards and statutes are 3 simple truths:

  1. Every regulation or standard requires good, tested, verifiable backups
  2. Use of strong passwords and tested security configurations is a must
  3. Encrypting data in-motion, and data-at-rest is a very, very, good idea.

As you start your journey towards becoming a compliance-oriented MSP, I can offer you a few resources for HIPAA/HITECH, PCI-DSS, SEC Cybersecurity and PRIVACY LAW compliance.

HIPAA/HITECH Compliance: Email me and request the

  • HIPAA Compliance Checklist
  • Articles and newsletters regarding trends in HIPAA enforcement and compliance


  • Overview of the state privacy breach laws
  • Trends in Financial Crimes
  • Lessons Learned from Superstorm Sandy

SEC Cybersecurity Compliance

  • Overview of SEC Requirements
  • Trends in Financial Crimes
  • Lessons Learned from Superstorm Sandy
  • Challenges endemic to the financial sector

As always, if you have questions regarding security, privacy or compliance, feel free to contact me at

Latest articles, blog posts, presentations and webinars are available at

Come meet Raj in person and hear him present on “What MSPs Need to Know About Compliance” at the Datto Partner Conference.

Topic Articles, Events, News
November 16th, 2014

Raj Goel, CISSP
Raj Goel 
Security & Compliance Consulting Practice

Raj’s LinkedIn profile

This article was originally published in INFOSECURITY PROFESSIONAL Magazine July/August 2014 issue.
To read full article, click here: INFOSECURITY PROFESSIONAL Magazine July/August 2014

Magazine article says parents destroying infant privacy at birth


Noted Internet security expert Raj Goel said well-meaning parents are ruining any privacy their children may have, starting at birth. He reports on this in the August-September edition of InfoSecurity Magazine in the article “Life Of A Child (2014).”


Mr. Goel is not referring to children at risk of dropping out of school, rather, children at risk of having someone steal their identity and create lifelong problems with that. He points out a set of very basic information is all that’s needed to impersonate someone online or over the phone:


  • Mother’s maiden name
  • Date of birth
  • City of birth
  • Name
  • Phone


“The problem is this is what people consider to be basic information when making a birth announcement. People look at this as sharing information,” he said. “New parents are justifiably proud about a new baby and they want to share the good news. Unfortunately, these well-meaning and well-intended parents are setting their children up for a lifetime of stolen identity problems.”


Mr. Goel said this is not limited to online and social media. He said parents often turn in birth announcements to the original social media, newspapers. Identity thieves are known to scour newspapers for birth announcements and obituaries. They harvest this information and set up fraudulent accounts based on the name and information gathered.


“We are happy to join you in celebrating the birth of a child, but please, be careful about what information you choose to share,” Mr. Goel said.


Schools are also a major risk. He writes of a technology called InBloom. In short, it collate student data and then makes that data available for purchase by private companies.


“The technology, which as of last year was adopted in nine states, creates a centralized database where student records, from attendance to disciplinary to special needs, are stored,” he wrote. “Civil rights groups took immediate legal action to try and prevent the practice of disseminating student data—a practice that also had been taking place in Colorado, Delaware, Georgia, Illinois, Kentucky, North Carolina, Massachusetts, and Louisiana by the time the New York uproar began.”




Raj Goel is a well-known IT Expert, Author, Keynote Conference Speaker, TV Guru,HIPAA, PCI, SEC Compliance expert and Cyber Civil Rights Advocate. He regularly gives presentations around the world at the leading global conferences. For more information about Mr. Goel and his work, please visit

April 29th, 2014

"And finally, I’m actually here today to win the ‘Most Creative Use of Tor’ award I’m actually here today to win the ‘Most Creative Use of Tor’ award," she said, followed by roars of laughter in the audience. "I really couldn’t have done it without Tor, because Tor was really the only way to manage totally untraceable browsing. I know it’s gotten a bad reputation for Bitcoin trading and buying drugs online, but I used it for"Genius, right? But not exactly foolproof. Vertesi said that by dodging advertising and traditional forms of consumerism, her activity raised a lot of red flags. When her husband tried to buy $500 worth of Amazon gift cards with cash in order to get a stroller, a notice at the Rite Aid counter said the company had a legal obligation to report excessive transactions to the authorities."Those kinds of activities, when you take them in the aggregate … are exactly the kinds of things that tag you as likely engaging in criminal activity, as opposed to just having a baby," she said.Vertesi said we need to be more aware of the information we give our servers voluntarily, and wondered if a time will ever come when we can opt out of giving personal information to the Internet.

via How One Woman Hid Her Pregnancy From Big Data.

Topic News
April 28th, 2014

…and here’s what a brand knows when you login via facebook

What Facebook Sells About You To Corporations, Governments, etc.

via Twitter / TheBakeryLDN: …and here’s what a brand ….

Topic CISSP, News
April 28th, 2014

Seems like the NSA has competition (or is that a friendly rivalry)?


Russian law gives Russia’s security service, the FSB, the authority to use SORM “System for Operative Investigative Activities” to collect, analyze and store all data that transmitted or received on Russian networks, including calls, email, website visits and credit card transactions.

SORM has been in use since 1990 and collects both metadata and content.

SORM-1 collects mobile and landline telephone calls.

SORM-2 collects internet traffic.

SORM-3 collects from all media including Wi-Fi and social networks and stores data for three years.

Russian law requires all internet service providers to install an FSB monitoring device called “Punkt Upravlenia” on their networks that allows the direct collection of traffic without the knowledge or cooperation of the service provider. The providers must pay for the device and the cost of installation.Collection requires a court order, but these are secret and not shown to the service provider. According to the data published by Russia’s Supreme Court, almost 540,000 intercepts of phone and internet traffic were authorized in 2012. While the FSB is the principle agency responsible for communications surveillance, seven other Russian security agencies can have access to SORM data on demand. SORM is routinely used against political opponents and human rights activists to monitor them and to collect information to use against them in “dirty tricks” campaigns. Russian courts have upheld the FSB’s authority to surveil political opponents even if they have committed no crime. Russia used SORM during the Olympics to monitor athletes, coaches, journalists, spectators, and the Olympic Committee, publicly explaining this was necessary to protect against terrorism. The system was an improved version of SORM that can combine video surveillance with communications intercepts.

via Schneier on Security: Info on Russian Bulk Surveillance.

Topic Articles, CISSP, News
February 5th, 2014

Article by Raj Goel

I read a moving article on about modern day slavery in Mauritania (see ).

Yes, slavery still exists and 10-20% of the Mauritanian population is currently enslaved. What really hit me hard is that unlike traditional slavery involving chains and physical restraints, modern slavery is primarily mental. The hereditary slaves are born as slaves; they live in villages that have ceremonial fences. Anyone can walk away or run away, and yet very few do. They are so enmeshed in the culture that the thought of walking away doesn’t occur to them.

To quote from the article:

Fences that surround these circular villages are often made of long twigs, stuck vertically into the ground so that they look like the horns of enormous bulls submerged in the sand.
Nothing ties these skeletal posts together. Nothing stops people from running.
But they rarely do.

And a similar form of mental servitude exists in (anti-) social media today. This month, the world celebrates the 10th anniversary of Facebook. What we’re really cerebrating is 10 years of ceaseless onslaught against freedom of speech, freedom of thought and freedom against self-incrimination – also known as the 1st, 4th and 5th amendments of the US constitution.

You could say that I am being hyperbolic in my characterization of Facebook as digital slavery, or that I’m taking poetic license and it’s not really fair to those who suffered, and still suffer, from the shackles of physical and financial servitude. Fair enough.

That said; let’s consider that in traditional slavery, the slave owner claimed ownership over the physical bodies and the output of physical labor from their slaves. Slaves grew cotton, sugarcane, raised cattle, etc and the masters took control of it.

In the modern era, our wealth isn’t generated from our sinews. We don’t break our backs toiling in the fields. Our wealth is intellectual in nature, digital in its form and that is being acquired for free by the lords of the internet.

  • Facebook claims perpetual ownership on your posts, likes, dislikes, photos.
  • Twitter claims perpetual ownership of your tweets, thoughts and stupidities.
  • Instagram, Flickr, etc claim perpetual license on your images.

As Attorney Craig Delsack notes

You grant the social media sites a license to use your photograph anyway they see fit for free AND you grant them the right to let others use you picture as well! This means that not only can Twitter, Twitpic and Facebook make money from the photograph or video (otherwise, a copyright violation), but these sites are making commercial gain by licensing these images, which contains the likeness of the person in the photo or video (otherwise, a violation of their “rights of publicity”).

Amazon controls what you get to read, and has deleted books from kindles remotely. Fittingly enough, the 1st book Amazon stole back from a paying customer was 1984.

Apple claims similar rights on your iPhones, iPads, iTunes and has given itself the right to remotely block or uninstall books, movies, songs, etc.

So what exactly are you buying when you “buy” eBooks from Amazon or Apple? What are you “buying” when you buy songs from Apple, Amazon, and Google? You’re “buying” the temporary right to read that book, watch that movie or listen to that song until the overlords decide that you’ve somehow violated their rights by travelling to a foreign country, visited wrong parts of the internet, etc. And any of these are grounds for them to delete content without reimbursement.

And how does Facebook fit into all of this?

In the 1970s and 1980s, we protested against the Communists and held up East German Stasi as particularly pernicious. At the height of its power, an estimated 10% of the East German population spied on their neighbors.

Today, approximately 128 Million Americans use Facebook.
Every like, dislike, comment is private property of Facebook to be bought and sold like a commodity. Your thoughts, pictures, family photos and privacy are a good sold on the open market.

And what does Facebook provide to its real customers – the corporations and governments?


And that’s just a start…there’s much more that Facebook retains, and makes available to foreign governments.

I hear you. I hear your complaints. Without Facebook, how will you have a social life? How will you go out on dates? Or keep track of family get togethers? Without Facebook, how will you share the family photos?

Scholars find many similarities between modern Mauritanian slavery and that in the United States before the Civil War of the 1800s. But one fundamental difference is this: Slaves in this African nation usually are not held by physical restraints.

Just like the Mauritanian slaves who are held on farms, not by physical shackles, but cultural and mental ones that keep them enslaved. Even though all they have to do is walk away.

No violence, no guns, just put one foot in front of the other.

Will you raise your kids as digital slaves? Or will you walk away…one mouse click at a time?

4th Amendment issues –
1st Amendment Issues –
5th Amendment Issues –
1st, 4th, 5th Amendment issues –
Copyright and IP Ownership –
Amazon erases 1984 from Kindle –

Further Reading:

Topic Articles
January 22nd, 2014

Welcome to the Panopticon.  Or surveillance circle-jerk.

With apologies to Tom Lehrer,

Global Surveillance Week!

Chinese spy on the Japanese
Russians Spy on the Chinese
Indians Spy on the Pakistanis
Aussies spy on the Kiwis
North Koreans spy on Dennis Rodman

The NSA spies on everyone
And EVERYONE spies on the Americans


A new security report confirms that Chinese hackers spied on The New York Times in 2012, as well as attendees of the G20 Summit in St. Petersburg last fall. Iranian hackers spied on dissidents in the lead up to state elections last May. The Syrian Electronic Army is only getting better, and North Korean hackers were behind a destructive cyberattack that wiped data from South Korean banks last year.

via New Security Report Confirms Everyone Is Spying on Everyone –

Topic News
September 21st, 2013

Below is an excerpt from the Keynote presentation I delivered at GBATA 2013 in Helsinki, Finland. It is based upon my“A Global Overview of Trends in Personal, Corporate and Government Surveillance” presentation.  This article also appeared in the Homeland Security Newswire.

Those who ask you to choose SECURITY OR PRIVACY and those who VOTE on SECURITY OR PRIVACY are making false choices. That’s like asking AIR OR WATER — which do you choose? You need BOTH to live.

Maslow placed SAFETY (of which security is a subset) as 2nd only to food, water, sex and sleep. As humans we CRAVE safety.

As individuals and societies, BEFORE we answer the question “SECURITY OR PRIVACY”, we first have to ask “SECURITY FROM WHOM and WHAT?” and “PRIVACY FROM WHOM AND FOR WHO”?

Until 1215, every Prince, King, Emperor and Conqueror thought he had divine right and was either a god or a manifestation of god. The MAGNA CARTA, for the 1st time in recorded human history, tripped Kings and Emperors of their divine right. WHY? Because the nobility had enough of the incompetencies and cruelties of the ruling monarch. In 1628, Sir Edward Coke established in English Common Law that “A man’s home is his castle” In 1791, The US Bill of Rights gave us the 4th amendment “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Each of these articles gave us, the citizens, the commoners, rights that were hardfought by a small-band of revolutionaries.

Franklin, Jefferson, Washington, Madison, Adams and countless others bled so that the masses could watch “Keeping up with the Kardashians” today.

Today, every techno-geek with classified access, every sysadmin, every spymaster and bureaucrat in the information acquisition, analysis and marketing machine presumes that he/she is god.

The internet has become a tool of the despots – and EVERY country and EVERY corporation is becoming THE STASI.

During the cold war, the US & the west demonized the USSR and the communists for denying their subjects/citizens property rights; freedom of speech; freedom of thought; freedom of religion.

Today, US, UK, AU, NZ, CHINA, Russia, India, everyone nation spies on it’s citizens. They all do it in the name of SECURITY and protecting the citizenry from terrorists. I don’t recall the US constitution or ANY other government’s charter that required it to guarantee it’s citizens 100% safety or 100% security. Defense of the common good – yes. Decent infrastructure – yes.

Freedom from crime and terrorism is possible…but only if you live in a jail cell.

Privacy of thought is a basic HUMAN right.

We prized ourselves in the west for fighting for the dissidents such as Solzhenitsyn & Sakharov. We even gave some of them Nobel peace prizes and visas to the West. Today, the US government (and others around the world) jail more dissidents, whistleblowers and freedom fighters than ever before. And corporations such as Amazon, Apple, Google, Adobe, SONY, Disney, etc. deny us basic property rights by “licensing” software and media to us.

Today, every elected politician, president, senator, prime minister and king, sees honest dissent as subversive.

Before you answer the question “SECURITY OR PRIVACY”, ask yourself the question – from whom; for who and for how long.

When Vladimir Putin praises PRISM and the NSA, then I think we have a problem. When Steve Wozniak points out the similarities between our lack of rights in cloud and the communists, I think we have a problem.

In every generation, a new King John; a new Khruschev and a new Solzhenitsyn is born. It’s OUR job as citizens to DEFEND the rights given to us by our respective constitutions and DEMAND that they be conferred on our WEAKEST citizens, not just the strongest or the wealthiest.

Feel free to have a reasonable (or unreasonable, as long as good beer or bourbon are involved) debate with me at ASIS59 in Chicago or wherever you catch me next – Hague, Helsinki, Washington DC, Chicago, Curacao, New Zealand – I will be bringing my opinions and research to a conference near you :-D

Topic Articles, CISSP
August 17th, 2013

Here’s another excellent reason to NEVER buy digital content from iTunes, Google Play or Kindle.

Cross the border, lose your content…

Jim O’Donnell was at a library conference in Singapore when his Ipad’s Google Play app asked him to update it. This was the app through which he had bought 30 to 40 ebooks, and after the app had updated, it started to re-download them. However, Singapore is not one of the countries where the Google Play bookstore is active, so it stopped downloading and told him he was no longer entitled to his books.

via Cross a border, lose your ebooks – Boing Boing.

Topic News
August 17th, 2013

Charlie Stross (an awesome writer) wrote an excellent piece on what life will be like for England’s future monarch.

This kid is going to live in the panopticon – maybe Will & Kate should watch this video with him and maybe this


This prince is going to find things a little different because he’s going to be the first designated future British monarch to grow up in a hothouse panopticon, with ubiquitous surveillance and life-logging …

I expect there to be Facebook account-hacking attacks on his friends, teachers, and associates—and that’s just in the near term. He’s going to be the first royal in the line of succession to grow up with the internet: his father, Prince William, was born in 1982 and, judging by his A-level coursework, is unlikely to have had much to do with computer networking in the late 1990s. This kid is going to grow up surrounded by smartphones, smart glasses (think in terms of the ten-years-hence descendants of Google Glass), and everything he does in public can be expected to go viral despite the best efforts of the House of Windsor’s spin doctors.

via Monarchy versus the Panopticon – Charlie’s Diary.

Topic News