Security Profession blog
Comment and discussion about the security industry of interest to the security professional. Blogs will be submitted by (ISC)2's management team and Advisory Board members.
Thursday 28 August 2008, 2:33 PM
Customer data found on eBay server highlights people as weak link
The recent news about customer details being retrieved from a server sold on eBay is yet another story about the sorry state of information security in the electronic age (see: http://news.zdnet.co.uk/security/0,1000000189,39465455,00.htm). What is important here is not the actors' names, but how it happened, what the response was and how could security procedures be improved in the future.
There are two basic things at play here: people and organisations continue to be, for the most part, reactive when it comes to security. And, secondly, they continue to concentrate on technological measures, when the weakest link is still the people.
So, the answer to this should have been not "can we have our server back, please" or "we take security seriously here", but to immediately set up a team composed of both business and technical people to check exactly how this happened. It would also be good if the ‘actors’ got together and communicated that they are doing this. Communication is very important in any security event!
The servers sold on eBay could have had their hard disk drive (HDD) wiped or reformatted, and that would have been good practice. However, that may have not been enough, if someone could have recovered that data, with a bit more effort. In military applications, there are special programs that rewrite HDDs a certain number of times, to make sure data retrieval by a determined attacker is not possible. Then, there is there is also the option to completely destroy the hard disk if the data on it and the risks to it warrant it.
A very important thing to look at is this: had the people involved with this server, throughout its life, been adequately trained? Were they aware of the value that this type of information could have? Were the risks related to this type of data properly assessed? Were the mitigation measures commensurate with the risks?
These are the questions we, as information security professionals, need to ask. Before computers existed, any employee leaving a firm and wanting to take client info with them to a competitor would have had to photo copy paper files after work. Now, with IT at their disposal, the same action is possible within just a few minutes using an USB stick. The power of modern IT creates this terrible asymmetry, which means that the people and the process are as important as the technological measure, in any security incident, as well as in daily company operations.
In brief: look at security holistically and create security measures commensurate with the risk, for each type of data and technology used for a certain business purpose. Train people, review and enforce good processes and practices. Let's take the right approach to ensure that such incidents are a thing of the past and no headlines need to be written about them.
Ionut Ionescu, CISSP, CISM, GSEC, Member of (ISC)2’s European Advisory Board and EMEA director of security services for Nortel Global Services
There are two basic things at play here: people and organisations continue to be, for the most part, reactive when it comes to security. And, secondly, they continue to concentrate on technological measures, when the weakest link is still the people.
So, the answer to this should have been not "can we have our server back, please" or "we take security seriously here", but to immediately set up a team composed of both business and technical people to check exactly how this happened. It would also be good if the ‘actors’ got together and communicated that they are doing this. Communication is very important in any security event!
The servers sold on eBay could have had their hard disk drive (HDD) wiped or reformatted, and that would have been good practice. However, that may have not been enough, if someone could have recovered that data, with a bit more effort. In military applications, there are special programs that rewrite HDDs a certain number of times, to make sure data retrieval by a determined attacker is not possible. Then, there is there is also the option to completely destroy the hard disk if the data on it and the risks to it warrant it.
A very important thing to look at is this: had the people involved with this server, throughout its life, been adequately trained? Were they aware of the value that this type of information could have? Were the risks related to this type of data properly assessed? Were the mitigation measures commensurate with the risks?
These are the questions we, as information security professionals, need to ask. Before computers existed, any employee leaving a firm and wanting to take client info with them to a competitor would have had to photo copy paper files after work. Now, with IT at their disposal, the same action is possible within just a few minutes using an USB stick. The power of modern IT creates this terrible asymmetry, which means that the people and the process are as important as the technological measure, in any security incident, as well as in daily company operations.
In brief: look at security holistically and create security measures commensurate with the risk, for each type of data and technology used for a certain business purpose. Train people, review and enforce good processes and practices. Let's take the right approach to ensure that such incidents are a thing of the past and no headlines need to be written about them.
Ionut Ionescu, CISSP, CISM, GSEC, Member of (ISC)2’s European Advisory Board and EMEA director of security services for Nortel Global Services
Previous
