General discussion

  • Creator
    Topic
  • #2176663

    Is Internet security more about asking questions than finding answers?

    Locked

    by debate ·

    Do you agree with Jonathan Yarden that it’s sometimes more important to ask the right questions about security than it is to find the answers? Does your organization follow this philosophy, or does it assume the security precautions in place are sufficient? Share your comments about the importance of questioning your organization’s security strategy, as discussed in the March 7 Internet Security Focus newsletter.

    If you haven’t subscribed to our free Internet Security Focus newsletter, sign up today! Click this link to subscribe automatically:
    http://nl.com.com/MiniFormHandler?brand=techrepublic&list_id=e044

All Comments

  • Author
    Replies
    • #3329689

      yup.

      by jaqui ·

      In reply to Is Internet security more about asking questions than finding answers?

      if the questions aren’t asked, then there is not security.

      you have to question the security level of any system that is connected to another.
      doesn’t matter how well the question is answered, just by asking and checking you find holes and fix them.

    • #3329504

      Questions are a must

      by bbaltas ·

      In reply to Is Internet security more about asking questions than finding answers?

      The number of security holes that are discovered on a daily basis require that questions be asked. Anyone who has the job title of security officer has to ask questions and getting answers to these on a regular basis.

    • #3328735

      20 questions?

      by david_heath ·

      In reply to Is Internet security more about asking questions than finding answers?

      Anyone can ask questions… it often takes a very smart person to answer the questions of the silliest questioner.

      But also, the smartest people often ask the toughest questions.

      The more you understand security, the tougher you can quiz the practitioners.

    • #3328713

      It’s also about people interaction

      by jaygee21 ·

      In reply to Is Internet security more about asking questions than finding answers?

      All large services such as this one now rely totalling on “hands off” interaction with their clients. As an example have you TRIED to call your bank lately? For security purposes for companies such as those that sell id information and other secure information; it should be mandatory to talk with a live person first before issuing clearance. That is where asking the right questions would be done. If you have ever connected with one of these information houses you will be directed to fill out their on line form. That’s it.. your connected.

      Perhaps we trust too much that what is stated is fact.

      • #3328710

        when they call you…

        by david_heath ·

        In reply to It’s also about people interaction

        what amuses me most is when a bank or Govt department calls me… first thing is they want be to prove who *I* am.

        Hang on, *you* called me, how do I know who *you* are??? There’s no way I’m going to prove my credentials to someone *claiming* to be from XYZ organisation.

        then I hang up.

    • #3342245

      The ONLY answer

      by answerman ·

      In reply to Is Internet security more about asking questions than finding answers?

      The only answer is “thumbprint verification” or “retina scan” verification….. Unless someone hacks the authorized individuals digit off, well then…. that’s a movie of the week, isn’t it?

      • #3342002

        nobody uses retina scan

        by david_heath ·

        In reply to The ONLY answer

        Hopefully you mean iris recognition, because I don’t know of any widely deployed retina projects. Also, there is no ‘scanning’ involved. The iris recognition system simply grabs a phto of the front of the eye.

        Also, most fingerprint systems have a variety of liveness tests built in. A severed finger generally won’t work.

        Regarding movies, watch closely – it’s only the A-grade stars (Tom, Arnie etc ) who can defeat the biometric system, everyone else is forced to use t properly – doesn’t THAT tell you more about the general robustness of biometric systems? ~smile~

    • #3342240

      Statistics?

      by jimwalias-techrepublic ·

      In reply to Is Internet security more about asking questions than finding answers?

      I was wondering where you got the statistics about 750 incidents? Can you supply the source for this information? Just in case you’re curious, no, I don’t work for or with any of the companies involved.

      • #3342173

        Obvious?

        by winkyx ·

        In reply to Statistics?

        Evaluation of any security scheme is an ongoing process. To think otherwise is patently insane. Personally I have found that the questions that come up when discussing security options or effectiveness of current processes are far too specific. Organizations tend to focus on their current practices and enforcing compliance as opposed to focusing on the effectiveness of those practices themselves. By using set scenarios with set answers they often run the risk of beating a dead horse instead of buying a new tractor. The same idea applies to finding gaps within a current system. Instead of starting with the internal controls of hardware and software vulnerabilities, it is often more productive to begin with the front line employees (front line does imply first line of defense after all). Beginning with a simple documentation of their everyday actions and the implication of those actions as relates to the internal controls, it is easy to build a case for points of possible vulnerabilities. A simple point would be at the point of data transfer. Where did it come from?, How do we know? Where will it be written to? How many places and where? How will it be accessed? Where is it backed up to? Obviously, verification of the data itself is a whole ‘nother flow chart. Suffice to say, it is often business practices themselves that end up being altered. The desire to make it “easy” for the customer to access or interact with a company, or even to make it easier for employees to do their jobs, is a pitfall that many businesses encounter. Lost customer confidence, legal fees, and SOX/HIPAA involvement are seldom seen as a deterrent until too late.

    • #3341987

      Of Questions and Choicepoint

      by tagmarkman ·

      In reply to Is Internet security more about asking questions than finding answers?

      Asking the right questions will only get you so far. I’ve asked the right questions at companies in which I have worked. We even have answered many of those questions with a more-than-likely correct answer. However, unless they are implemented and tested, it’s fairly worthless in terms of protection. These solutions have to be weighted and econmonic, among other factors, play a part in its priority.

      It’s not about whether questions or the answers or the implementation is the most important. What is important is that a sincere and continuous effort is being make to make the system and data secure while reducing customer inconvenience in a cost-effective manner.

      Using Choicepoint to make your point is pushing the limit of responsible action. Choicepoint was not hacked. False companies were created. These companies had the correct information. Following Choicepoint’s method of verifying companies were validated by Pingerton’s security audit. In other words, Choicepoint is just as responsible for company verification as Verisign is about their Digital Signatures.

      Choicepoint allowed access to this data as they do to all qualifying clients. The difference is that the company that was given this data used it in an act of fraud. When this was discovered, the criminals were deal with and the problem could have been swept under the rug like too many security issues.

      However, the state of California requires a letter to be sent to each of the people in question. This is why it hit the news, thousands of people were getting this letter and it caused a good bit of chaos. I doubt asking the right question would have prevented this issue.

    • #3350335

      root problem

      by batmang8 ·

      In reply to Is Internet security more about asking questions than finding answers?

      You guys are trimming the tips of the twigs with
      microtomes rather than chopping off the rotten
      limbs or the rotten trunk or the diseased root.

      The problem isn’t just the “identity thefts”, and
      it’s not just the hackers, and it’s not just that
      some company hadn’t secured this data
      sufficienty, and it’s not just that they bought
      most of this data from various governments.

      The root problem is that the governments had this
      personal private information in the first place.

      That they declared this personal private
      information to be “public records” is a secondary
      violation.

      That they sold this personal private information
      is a tertiary violation.

      That ClearPoint purchased it and matched data
      from multiple sources is a quaternary violation.

      That ClearPoint passed it around within the
      company is an additional violation. That they
      sold the information is yet another violation.
      That others obtained the information from them
      under false pretenses is yet another violation.
      That they then used the information to carry out
      more fraud is merely the last of their offenses.

      “[W]e may have come to the point of dealing with
      information as a substitute for dealing with
      people. By juggling data, creating dossiers,
      tracking records, we make — or we let machines
      make — decisions that determine the course of
      people’s lives without ever having to face those
      people as real human beings. So it is that the
      right of informational privacy — the right to
      control the availability & uses of information
      about one’s self — leads us back to the right of
      privacy in its more basic sense — the right to
      make one’s own choices, to maintain one’s
      integrity, to be left alone, & ultimately, to
      live in freedom.” — Trudy Hayden “Issues in
      Personal Privacy” _The Right to Privacy versus
      the Right to Know_ pg 16

      “Privacy, in my view, is the rightful claim of
      the individual to determine the extent to which
      he wishes to share of himself with others & his
      control over the time, place, & circumstances to
      communicate to others. It means his right to
      withdraw or to participate as he sees fit. It is
      also the individual’s right to control
      dissemination of information about himself; it is
      his own personal possession.” — Adam Carlyle
      Breckenridge _The Right to Privacy_ pg 1

      “[Privacy is] the right to control information
      about one’s self — when & to whom it shall be
      given, & for what purposes it shall be used.” —
      Alan F. Westin 1967 _Privacy & Freedom_ (quoted
      in Trudy Hayden “Issues in Personal Privacy” _The
      Right to Privacy versus the Right to Know_ pg 15)

      • #3351526

        Mostly…

        by tagmarkman ·

        In reply to root problem

        I agree with what you are saying, “We should have control over our information.” I also agree that it goes deeper than hacking. I tried to make that clear in my last post.

        I do want to clear up some points. The company is called “Choicepoint” not “Clearpoint”. Choicepoint was a company called Database Technologies also known as DBT (Pompano Beach, FL and Boca Raton, FL [BlueLake Facilities]). They went public back in the early days of the web. They were not on the Internet at that time. Entities connected via dedicated modems through an 800 line. Later, they were acquired by Equifax and formed Choicepoint (Atlanta, GA).

        The data they gathered came from public record. Usually, this data was purchased from typical U.S. government facilities just like any other investigator would have to do and just like any other investigator they retain the right to resell this data. The irony is that because they put it into a useful format and made it easy to get a hold of the data, often the same government entities that sold them the data would buy it back from them.

        The criminals could have acquired the same information going directly to the government (legally) just like they purchased the information from Choicepoint (legally). However, they used the information they purchased (illegally) and created fraudulent companies to hide behind.

        Responding to your accusation of Choicepoint:
        First: This was public record. (No violation).
        Second: Choicepoint did not declare it public, the US Government did. (No violation).
        Third: They sold this data to another party. (No violation).
        Fourth: They cross referenced information and they also state that the cross referencing is only as good as the data, etc… (No violation).

        Choicepoint a help save over 800 abducted children, save many law enforcement lives, and reduced insurance fraud significantly. The FBI, CIA, law enforcement, attorneys, and private investigators rely on this information. They are not a bad company.

        BatmanG8, you are right. We do need more control over our personal information, credit data, etc. It bothers me as well that so much of our information is out there.

        A law has passed recently where you can audit information sources such as Choicepoint to learn what the company has recorded about you. Choicepoint had this in place since the day the law was passed. Even if you can?t completely secure your information, at least in the meantime you can learn what other people know about you.

Viewing 7 reply threads