OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Dataloss] Plug the holes in your cone of silence

From: security curmudgeon (jerichoattrition.org)
Date: Wed May 30 2007 - 00:29:35 CDT


Courtesy ISN:

---------- Forwarded message ----------
From: InfoSec News <alertsinfosecnews.org>

http://www.theage.com.au/news/security/plug-the-holes-in-your-cone-of-silence/2007/05/28/1180205158743.html

By Cynthia Karena
May 29, 2007

DATA loss is a significant factor in modern business, dependent as it is
now on electronic systems. And it occurs in many ways, some inadvertent,
some through stupidity and some criminal.

One organisation accidentally puts its sensitive market research report
online before it has been approved; another can't find data that has been
requested by a government department. Others lose laptops, unwittingly
send confidential information in emails, or give contractors too much
access to internal data.

This is lost data and its impact on a business can range from financial
loss, to damage to its reputation, potential loss of customers, or even
imprisonment if there is a breach of corporate governance.

[..]

And then there is the human factor. "Data loss occurs primarily because of
people," says Mr Baar. "Most information loss is through inappropriate
behaviour - someone talking about it in the pub or a lift, for instance.
People could go to a cafe with, say, patient records and leave them
behind."

[..]

"Everybody always underestimates the likelihood of data theft. It is
usually unreported, which (distorts data on occurrences) but given the
choice of attempting to hack an organisation from the outside or getting
inside to its soft centre, you would always take the easiest option.
External hacking is uncommon now, because it is too difficult. It's easier
to find an insider through money or threats," Mr Baar says.

What about disgruntled employees taking information with them when they
leave the company? Mr Lancaster says data needs to be locked down.
Departments should be able to retrieve only their own documents. Finally,
says Mr Walls, organisations should not reveal their security controls to
their own personnel.
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 208 million compromised records in 675 incidents over 7 years.