The InfoSec Blog

Confusion over Physical Assets, Information Assets in ISO-27000

Posted by Anton Aylward

I often explain that Information Security focuses on Information Assets.

Some day, on the corporate balance sheet, there will be an entry
which reads, "Information"; for in most cases the information is
more valuable  than the hardware which processes it.
   -- Adm. Grace Murray Hopper, USN Ret.

Some people see this as a binary absolute - they think that there's no need to asses the risks to the physical assets or that somehow this is automatically considered when assessing the risk to information.

The thing is there are differing types of information and differing types of containers for them.

How much would you give up your laptop for?

Posted by Anton Aylward

http://tech.yahoo.com/blogs/null/154866;_ylt=Av2YyMlmiE8ERpzUwD020zUWLpA5

Remember all those journalists doing the "give you password or a chocolate bar" articles?

Twix bar Purchased March 2005 in Atlanta, GA, USA

Well this seems a lot more realistic - giving up you laptop.

Not just the hardware, but everything on it!

Frightening!

Enhanced by Zemanta

Politician hit by lost documents

Posted by Anton Aylward

http://www.manchestereveningnews.co.uk/news/s/1109560_burnham_sorry_over_security_blunder

We can all see what went wrong here.

1. He should have gone by car and not the train.
2. He should have had the documents on his laptop
3. The laptop should have been tethered in the trunk of the said car.
4. The documents should have been clearly labelled
"*Not* about the F-35"
5. His laptop should have had its patches and AV up to date.

Just one question.

What's with this "hit by"?
That headline is trying to make out that the documents were the guilty - and actively so - party.

Well, perhaps that not the fault of the journalist, perhaps that's the stance the politician is taking 🙂

Reblog this post [with Zemanta]

Stolen laptop leads to drug bust

Posted by Anton Aylward

I must admit, this isn't quite what I expected when I read the headline. I was expecting the contents of the laptop that had somehow come into the hands of the police or DEA to contain evidence that lead to the bust.  As it was, the recovery was a result of "phone home" software and the
bust was an incidental.

Security software built into a stolen laptop computer led police to a
Hoisington residence on Tuesday. Authorities not only found the
computer, but they also uncovered what appears to be a methamphetamine
lab.

So what is the procedure around the 'phone home' software? Does it
contact the police directly? Does the owner notify the 'phone home'
software vendor and they in turn notify the police when they have a trace?

Detective Denton Doze at the Great Bend Police Department said the
$9,000 computer, along with hand tools and power tools, was stolen
during a burglary reported last Friday at the My Town project, 1419 Main
Street.

That must have been quite some laptop!

As of Wednesday evening, the missing tools had not been accounted for.

Well, obviously. They don't have 'phone home' software that runs when they are used.

2006: The Year of the laptop … stolen that is

Posted by Anton Aylward

When did you last secure your laptop?

The last year seems to have been a bumper one for stolen laptops, especially ones stolen from high profile companies and which contian plenty of personal information.

Many of the companies concerned seem to think that having passowrd proetction is adequate. Others think that because the laptop was stolen "for the hardware" and not for the information on it, all is OK. A couple think that firing the person who was using the laptop makes everythng OK.

"If thieves read the newspaper, they can readily figure out that they have got more than just a piece of hardware."

Well, I don't think so.

Will things change?

At the very least, the publicity has made it clear to theives that tTell me about when you saved the company a million dollars. Or when you successfully managed the million dollar project to deployment, on schedule and on budget. The infomation on the laptop is more valuable than the hardware. This year, 2007, any thief with any sense will sell the data and throw away the laptop. Perhaps on a rubish tip - oh, I see one did that 🙂

Here is a summary of some news articles from 2006

Irony

Posted by Anton Aylward

Headline: FTC attorney's laptops stolen
http://www.presstelegram.com/business/ci_3969575

The government agency charged with fighting identity theft said Thursday it had lost two government laptops containing sensitive personal data, the latest in a series of breaches encompassing millions of people.

Can you spell "Irony"?
This goes a bit beyond the bare-faced incompetence that we've grown used to
and come to treat as the new security baseline at the government.

And here's another chunk of Irony:

Many of the people whose data were compromised were being investigated for possible fraud and
identity theft, said Joel Winston, associate director of the FTC's Division of Privacy and Identity Theft Protection.

But what caught my attention in this article was the following:

On Thursday, a House panel was cautioned that credit monitoring alone may not be enough to protect Americans whose names, birth dates and Social Security numbers were compromised at the hands of the government.

During the House hearing Thursday, Mike Cook, a co-founder of a company specializing in data breaches, said identity-theft victims typically don't become aware they've been hurt until six months after their data was stolen, when creditors come calling for money owed.

At that point, it's likely the thieves will have moved on having made just a few purchases so they don't attract notice and started using another victim's information.

As a result, a credit monitoring service would raise a red flag after it was too late, Cook said.

So what's the real use of this credit monitoring that the companies are handing out in the aftermath of privacy failures if its not going to protect you? "Oh, you've had your bank account emptied, your house sold, and your wife has received a divorce notice. And by the way, your credit is non existent but that may be due compute hackers...."

 

Enhanced by Zemanta