In February of 2005, ChoicePoint, an Atlanta-based
company that provides consumer data services to insurance
companies, government agencies, and other businesses, announced
that unidentified individuals had accessed its database. Posing as
legitimate businesspeople, the scammers gained access to tens of
thousands of consumers’ personal information, including social
security numbers and credit reports.

This security incident, the latest in a long
line of similar occurrences, got me thinking: Sometimes asking the
right questions is more important than getting the right answers.
Of course, for those directly affected by this breach, that’s
really neither here nor there. (Roughly 750 individual cases of
identity theft have emerged due to this incident.)

But for the rest of us, for whom a similar
breach is all too possible, it’s something to think about.
Sometimes the mere exercise of questioning how someone might
exploit a system–no matter how dubious or obscure the method–can
help prevent it from actually happening. This type of brainstorming
can expose weaknesses that the company needs to address.

Secure computing today depends on so many more
factors than just taking care of your organization’s own security.
And that means companies can’t just base their entire security
strategy on depending on Windows Update and antivirus signatures to
do their jobs.

Internet security is about more than installing
a firewall, disabling cookies, running anti-spyware software, and
not opening e-mail attachments from people you don’t know. It also
means knowing when other people aren’t doing these things–and
doing something about it. And that requires becoming actively
involved not only with keeping software secured and updated, but
recognizing and understanding Internet security trends as a
whole.

It’s become apparent to me that ChoicePoint
wasn’t asking the right questions about its Internet
security–particularly since confidential consumer information is
this company’s bread and butter. Large, centralized databases
represent one of the biggest threats of Internet security. These
online databases of personal information are excellent targets for
predators because they provide the most access to information with
the least amount of work.

And as such a large information broker,
ChoicePoint should have recognized–and tried to prepare for–this
threat. Unfortunately, too many companies, lacking a real
understanding of Internet security, depend too much on the claims
and opinions of others without delving too much into researching
security.

Of course, Internet security is a vast,
complicated topic. It involves so many aspects that it’s impossible
for anyone to know all the answers. And yes, that includes me.
While I try to be as accurate as possible and offer helpful
information about Internet security, I don’t have all the
answers–no one does. But again, sometimes it’s better to ask the
questions.

I receive a lot of feedback from readers about
this newsletter, and I read every message. And of course, not
everyone agrees with my take on Internet security. But that doesn’t
bother me; I appreciate all of the feedback–good and bad.

I’d much rather provoke readers to ask more
questions about their own organization’s security. Companies are
the best source of insight into their own security. In my opinion,
it’s vital that we continue to question any and all methods and
devices designed to improve computer security because someone else
is already out there questioning how to defeat it.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday!