The InfoSec Blog

We’re mobile addicts but we just don’t want new smartphones

Posted by Anton Aylward

For whatever value of "Mobile" is applicable in context, yes.
A lot of what I see is students in the library with their laptops or large tablets_keyboards with paper and books beside. Perhaps if students had the multi-screen displays like the one in the movie "Swordfish" AND there were more books on-line at low cost and multi-access (which isn't how many libraries work, sadly) then the marketers dream of students with ebooks rather than a knapsack of books would happen. As it is, with only one viewer, books and papers are still needed.

Confusion over Physical Assets, Information Assets – Part Two

Posted by Anton Aylward

So I need to compile a list of ALL assets, information or otherwise,

That leads to tables and chairs and powerbars.

OK so you can't work without those, but that's not what I meant.

InfoAssetsPhysical assets are only relevant in so far as they part of information processing. You should not start from those, you should start from the information and look at how the business processes make use of it.  Don't confuse you DR/BC plan with your core ISMS statements.  ISO Standard 22301 addresses that.

This is, ultimately, about the business processes.

Confusion over Physical Assets, Information Assets in ISO-27000

Posted by Anton Aylward

I often explain that Information Security focuses on Information Assets.

Some day, on the corporate balance sheet, there will be an entry
which reads, "Information"; for in most cases the information is
more valuable  than the hardware which processes it.
   -- Adm. Grace Murray Hopper, USN Ret.

Some people see this as a binary absolute - they think that there's no need to asses the risks to the physical assets or that somehow this is automatically considered when assessing the risk to information.

The thing is there are differing types of information and differing types of containers for them.

Your Asset is my Consumable

Posted by Anton Aylward

Are these “Top 10” dumb things or not?

Posted by Anton Aylward

At "10 dumb things users do that can mess up their computers" Debra Littlejohn Shinder brings up some interesting common failings. Lets look at her list, because I have a different take.

#1: Plug into the wall without surge protection
#2: Surf the Internet without a firewall
#3: Neglect to run or update antivirus and anti-spyware programs
#4: Install and uninstall lots of programs, especially betas
#5: Keep disks full and fragmented
#6: Open all attachments
#7: Click on everything
#8: Share and share alike
#9: Pick the wrong passwords
#10: Ignore the need for a backup and recovery plan

Well, they seem interesting, but ...
The big "but" gets back to one of my favourite phrases:

Context Is Everything

Very simply, in my own context most of this is meaningless. It may well be in yours as well.

2006: The Year of the laptop … stolen that is

Posted by Anton Aylward

When did you last secure your laptop?

The last year seems to have been a bumper one for stolen laptops, especially ones stolen from high profile companies and which contian plenty of personal information.

Many of the companies concerned seem to think that having passowrd proetction is adequate. Others think that because the laptop was stolen "for the hardware" and not for the information on it, all is OK. A couple think that firing the person who was using the laptop makes everythng OK.

"If thieves read the newspaper, they can readily figure out that they have got more than just a piece of hardware."

Well, I don't think so.

Will things change?

At the very least, the publicity has made it clear to theives that tTell me about when you saved the company a million dollars. Or when you successfully managed the million dollar project to deployment, on schedule and on budget. The infomation on the laptop is more valuable than the hardware. This year, 2007, any thief with any sense will sell the data and throw away the laptop. Perhaps on a rubish tip - oh, I see one did that 🙂

Here is a summary of some news articles from 2006


Posted by Anton Aylward

Headline: FTC attorney's laptops stolen

The government agency charged with fighting identity theft said Thursday it had lost two government laptops containing sensitive personal data, the latest in a series of breaches encompassing millions of people.

Can you spell "Irony"?
This goes a bit beyond the bare-faced incompetence that we've grown used to
and come to treat as the new security baseline at the government.

And here's another chunk of Irony:

Many of the people whose data were compromised were being investigated for possible fraud and
identity theft, said Joel Winston, associate director of the FTC's Division of Privacy and Identity Theft Protection.

But what caught my attention in this article was the following:

On Thursday, a House panel was cautioned that credit monitoring alone may not be enough to protect Americans whose names, birth dates and Social Security numbers were compromised at the hands of the government.

During the House hearing Thursday, Mike Cook, a co-founder of a company specializing in data breaches, said identity-theft victims typically don't become aware they've been hurt until six months after their data was stolen, when creditors come calling for money owed.

At that point, it's likely the thieves will have moved on having made just a few purchases so they don't attract notice and started using another victim's information.

As a result, a credit monitoring service would raise a red flag after it was too late, Cook said.

So what's the real use of this credit monitoring that the companies are handing out in the aftermath of privacy failures if its not going to protect you? "Oh, you've had your bank account emptied, your house sold, and your wife has received a divorce notice. And by the way, your credit is non existent but that may be due compute hackers...."


Enhanced by Zemanta