jump to navigation

“Trust but Verify”- Insider Threats & Intellectual Property Theft February 20, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

According to the US Government, intellectual property theft costs the US approximately $250 billion per year.  Unfortunately, a large and growing percentage of this theft is due to insiders.  The human element of data security is a topic that I have written on numerous times.  This article follows one I wrote in August, 2011 titled: Security 101: The Human Element.

I have worked with a number of large (and small) organizations that were very focused on risk management and information security.  It is always disheartening when you find that the companies focus solely upon external threats and ignore one of the largest threats to their intellectual property; their own employees.  Humans are social creatures.  We make friends and we want to be trusted.  We also believe in our fellow person.  Nobody likes to feel like they are not trusted and consequently, few like to make others feel like they are not trusted.  Unfortunately, where data security and the protection of intellectual property is concerned, companies are well advised to adhere to the old adage: “Trust but Verify”.

With increased responsibility often comes increased authority and increased access to sensitive systems, and information.  Companies often make the mistake of believing that with increased responsibility comes a decrease in the need to monitor activity.  (more…)

With Privacy the Sum May Be Greater than the Parts February 17, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , ,
add a comment

Information Security can be described as the protection of data while privacy is defined as the appropriate use of data.  Volumes of data is collected on all of us every day.  Some of the data we voluntarily provide in exchange for additional benefits and services (airline mile programs, loyalty shopper programs, for example).  Other data we unknowingly provide such as shopping history. Regardless, we expect the custodians of the data to use it appropriately and maintain privacy.  Unfortunately, sometimes company’s pursuit of profits causes them to walk a very fine line as far as privacy is concerned.  The following is an example of where a company arguably violated the tenets of privacy while possibly not violating any laws.

According to a story reported recently, Target figured out a teenage girl was pregnant from her shopping history and inadvertently told her family.  The end result is that 1) Target knew (statistically they are right 90% of the time), and 2) Target, by sending pregnancy related coupons to the girl, informed her family that she was pregnant, without her knowledge or consent.  Here is how it happened. (more…)

Security, Exploits & Vulnerabilities- Security is Never 100% February 16, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , , , ,
add a comment

In light of the recent disclosures of breaches of major security technologies and vendors, I felt compelled to write this post.  One of my favorite subjects to debate (and argue over) is security theory in general, and specifically the topics of vulnerabilities & exploits.  They are concepts that are critical in the fields of information security, risk management and other areas of security.  In truth, the concepts extend beyond IS but they are very common in the IS World and easier, in my opinion, to discuss in the context of IS.  So what are exploits & vulnerabilities and why are they important?

First, we need to understand that there is no “guaranteed security” and security can never be 100% as there are always vulnerabilities which can be exploited. We may not have identified them yet, but they do exist.   Given enough time, effort, and the right tools, any security control can be circumvented.  Security should be viewed as a function of time and effort. (this will be discussed below)  Second it is important to understand that the concepts of exploits and vulnerabilities are inextricably entwined and are mutually dependent. This is where the debate begins so first lets get a working definition of the terms. (more…)

“Pick your poison” – Security or Convenience February 15, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , ,
3 comments

I have discussed the challenges of security & convenience for some time.  The latest news regarding the 10 year breach of Nortel gave me new fodder for the discussion.

Whether we are discussing information security, physical security, operational security (to name a few) the concepts of security & convenience are diametrically opposed. When we talk of convenience we can include operational efficiency in the discussion.  Consider a companies like Nortel with a large IT infrastructure.  One one side of the discussion is the IT department.  They are constantly hearing about how they need 99.999 uptime and faster systems.  In the payment card industry where transaction times are critical additional latency can be problematic.  They also hear over and over about how someone needs more access to more data.   (more…)

Nortel Network Compromised for a Decade; Chinese Suspected February 14, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , , ,
1 comment so far

According to MSNBC, Nortel’s network was open to hackers since at least 2000.  It is suspected that the hackers are Chinese.  The data thieves appear to have had nearly “unfettered access” to the network and were able to download: ” “technical papers, research-and-development reports, business plans, employee emails and other documents.”  How did they access the network?  Simple. (more…)