Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Dataloss] Identity Theft protection changes needed
From: George Toft (georgemyitaz.com)
Date: Tue Jul 11 2006 - 10:33:51 CDT
Our business is focusing on a vertical that is clearly governed by
Gramm-Leach-Bliley. Their professional journal carried 49 articles on
the applicability of GLBA since 2001, yet in 1600+ telephonic
conversations with members of this industry, the majority of the
business owners have never heard of GLBA. The FTC calls out their
business as being regulated. 16 CFR states they are regulated, yet they
don't know about it.
So where am I going with this?
In our research to discover why we are getting little results in our
marketing, we stumbled across two pieces of wisdom:
1. It's hard to convince someone to spend money on something they don't
2. The human mind is built to react, not proact.
In our case, we are trying to help these businesses stay out of the
[near] daily security breach headlines, yet the business owners do not
understand why security is important. "That will never happen to me."
Regarding the human mind, I think that we - as security people - are
mis-wired. We think proactively - that's why we proactively secure our
systems (to the maximum extent allowed by the budget). And it is hard
for us to understand why the rest of the world can't see the freight
train about to hit them.
I have been tasked with presenting a webinar to the senior management of
a medium-sized company that is still running Windows NT on all their
servers. (By now, most readers are probably gasping in shock.) The IT
Director understand the problem, but senior management's mindset is
"It's not broken, so why fix it?"
So what it comes down to is that senior managers do not think
proactively. They are focused on revenue generation, not asset
protection, and surely not security. This point is supported in a
(http://www.eweek.com/article2/0%2C1895%2C1979919%2C00.asp). They will
react when it hits them in the balance sheet, but by then the damage is
Proactive thought is neither taught nor practiced in college as shown by
the trend in data loss (1/3 of victims are universities). In my own
studies - undergraduate and graduate - we were taught to solve problems,
not prevent them. (My policies class came close - we were taught to
look at the failings of others and develop policies to protect the
business.) The root cause of the problem lies squarely in our education
system. Unfortunately, it takes years to move that industry, so the
problem will continue for quite some time.
George Toft, CISSP, MSIS
My IT Department
Confidential data protection experts for the financial industry.
Al Mac wrote:
> In security breach news we are seeing the same scenario played out again
> and again, with different enterprises doing the same stuff that leads to
> disaster. How come no one seems to be learning by example to avoid being
> the next story in the news? I have my theories on this, but in this
> article, IDG News Services asked leaders of three security businesses to
> give their theories on this.
> * People do what is easy and convenient and don't give much thought to the
> * Many people do not get insurance until something happens to a neighbor,
> or they see problem in news, and realize they need insurance against that
> * Security is a balance between other management priorities, in which
> several are more important than security
> * There has been a conceptual shift in recent years. It used to be that
> companies trusted employees, gave them reasons for that trust, but now job
> security is threatened by off-shoring, unions have been busted, and
> Sarbanes Oxley is re-establishing separation of duties
> ** but none of that is why we have all these new laws saying no one can be
> trusted ... here's why
> http://wallstreetfollies.com/ scroll to the bottom and blow it up
> * there's a lot of traffic that goes over the Internet in the clear
> * you can't tell from a web ad if there is something malicious going on
> My theories have to do with the notion that security breaches have been
> occurring since the dawn of computer history, and we are now only hearing
> about those associated with geographies where there is a legal obligation
> to report them. Let's suppose you work in a company that has existed for
> 100 years, had computers for 50 years, have had 20 security breaches and
> survived them all. The fact that your company is now obligated to
> publicize breaches means that it does not dawn on anyone what the PR
> consequences of that are until after the first publicized breach.
> There are laws that are not enforced. We can go to any electronics store
> and buy the where with all to tap into cell phone and other radio
> traffic. Totally illegal, but have you ever heard of anyone being arrested
> for it?. Do you know what a police scanner is? People who like to listen
> to police radio calls for their entertainment. You can also listen to taxi
> service and other outfits. Some parts of the electromagnetic spectrum are
> reserved for special kinds of traffic, like pagers. I hear tell there's
> all kinds of interesting stuff for snoops.
> Companies with wireless not locked down. Several breaches have involved
> someone with laptop in their parking lot.
> People get some kind of communication service and assume there is zero risk
> of it being tapped, hacked, or what have you.
> Al Mac AKA Alister Wm. Macintyre
> Dataloss Mailing List (datalossattrition.org)
Dataloss Mailing List (datalossattrition.org)