[Dataloss] Identity Theft protection changes needed

Tue Jul 11 01:07:18 EDT 2006

In security breach news we are seeing the same scenario played out again 
and again, with different enterprises doing the same stuff that leads to 
disaster.  How come no one seems to be learning by example to avoid being 
the next story in the news?  I have my theories on this, but in this 
article, IDG News Services asked leaders of three security businesses to 
give their theories on this.

* People do what is easy and convenient and don't give much thought to the 
consequences.
* Many people do not get insurance until something happens to a neighbor, 
or they see problem in news, and realize they need insurance against that
* Security is a balance between other management priorities, in which 
several are more important than security
* There has been a conceptual shift in recent years.  It used to be that 
companies trusted employees, gave them reasons for that trust, but now job 
security is threatened by off-shoring, unions have been busted, and 
Sarbanes Oxley is re-establishing separation of duties
** but none of that is why we have all these new laws saying no one can be 
trusted ... here's why
http://wallstreetfollies.com/ scroll to the bottom and blow it up 
http://wallstreetfollies.com/diagrams.htm
* there's a lot of traffic that goes over the Internet in the clear
* you can't tell from a web ad if there is something malicious going on

My theories have to do with the notion that security breaches have been 
occurring since the dawn of computer history, and we are now only hearing 
about those associated with geographies where there is a legal obligation 
to report them.  Let's suppose you work in a company that has existed for 
100 years, had computers for 50 years, have had 20 security breaches and 
survived them all.  The fact that your company is now obligated to 
publicize breaches means that it does not dawn on anyone what the PR 
consequences of that are until after the first publicized breach.

There are laws that are not enforced.  We can go to any electronics store 
and buy the where with all to tap into cell phone and other radio 
traffic.  Totally illegal, but have you ever heard of anyone being arrested 
for it?.  Do you know what a police scanner is?  People who like to listen 
to police radio calls for their entertainment.  You can also listen to taxi 
service and other outfits.  Some parts of the electromagnetic spectrum are 
reserved for special kinds of traffic, like pagers.  I hear tell there's 
all kinds of interesting stuff for snoops.

Companies with wireless not locked down.  Several breaches have involved 
someone with laptop in their parking lot.

People get some kind of communication service and assume there is zero risk 
of it being tapped, hacked, or what have you.

http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=cybercrime_hacking&articleId=9001672&taxonomyId=82

-
Al Mac AKA Alister Wm. Macintyre