Join or sign in Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below. Use Your Email Use FacebookUse Linkedin

Is Internet security more about asking questions than finding answers?

Locked

Do you agree with Jonathan Yarden that it’s sometimes more important to ask the right questions about security than it is to find the answers? Does your organization follow this philosophy, or does it assume the security precautions in place are sufficient? Share your comments about the importance of questioning your organization’s security strategy, as discussed in the March 7 Internet Security Focus newsletter.

If you haven’t subscribed to our free Internet Security Focus newsletter, sign up today! Click this link to subscribe automatically:
http://nl.com.com/MiniFormHandler?brand=techrepublic&list_id=e044

Topic

yup.

In reply to Is Internet security more about asking questions than finding answers?

if the questions aren’t asked, then there is not security.

you have to question the security level of any system that is connected to another.
doesn’t matter how well the question is answered, just by asking and checking you find holes and fix them.

Questions are a must

In reply to Is Internet security more about asking questions than finding answers?

The number of security holes that are discovered on a daily basis require that questions be asked. Anyone who has the job title of security officer has to ask questions and getting answers to these on a regular basis.

20 questions?

In reply to Is Internet security more about asking questions than finding answers?

Anyone can ask questions… it often takes a very smart person to answer the questions of the silliest questioner.

But also, the smartest people often ask the toughest questions.

The more you understand security, the tougher you can quiz the practitioners.

It’s also about people interaction

In reply to Is Internet security more about asking questions than finding answers?

All large services such as this one now rely totalling on “hands off” interaction with their clients. As an example have you TRIED to call your bank lately? For security purposes for companies such as those that sell id information and other secure information; it should be mandatory to talk with a live person first before issuing clearance. That is where asking the right questions would be done. If you have ever connected with one of these information houses you will be directed to fill out their on line form. That’s it.. your connected.

Perhaps we trust too much that what is stated is fact.

when they call you…

In reply to It’s also about people interaction

what amuses me most is when a bank or Govt department calls me… first thing is they want be to prove who *I* am.

Hang on, *you* called me, how do I know who *you* are??? There’s no way I’m going to prove my credentials to someone *claiming* to be from XYZ organisation.

then I hang up.

The ONLY answer

In reply to Is Internet security more about asking questions than finding answers?

The only answer is “thumbprint verification” or “retina scan” verification….. Unless someone hacks the authorized individuals digit off, well then…. that’s a movie of the week, isn’t it?

nobody uses retina scan

In reply to The ONLY answer

Hopefully you mean iris recognition, because I don’t know of any widely deployed retina projects. Also, there is no ‘scanning’ involved. The iris recognition system simply grabs a phto of the front of the eye.

Also, most fingerprint systems have a variety of liveness tests built in. A severed finger generally won’t work.

Regarding movies, watch closely – it’s only the A-grade stars (Tom, Arnie etc ) who can defeat the biometric system, everyone else is forced to use t properly – doesn’t THAT tell you more about the general robustness of biometric systems? ~smile~

Statistics?

In reply to Is Internet security more about asking questions than finding answers?

I was wondering where you got the statistics about 750 incidents? Can you supply the source for this information? Just in case you’re curious, no, I don’t work for or with any of the companies involved.

Obvious?

In reply to Statistics?

Evaluation of any security scheme is an ongoing process. To think otherwise is patently insane. Personally I have found that the questions that come up when discussing security options or effectiveness of current processes are far too specific. Organizations tend to focus on their current practices and enforcing compliance as opposed to focusing on the effectiveness of those practices themselves. By using set scenarios with set answers they often run the risk of beating a dead horse instead of buying a new tractor. The same idea applies to finding gaps within a current system. Instead of starting with the internal controls of hardware and software vulnerabilities, it is often more productive to begin with the front line employees (front line does imply first line of defense after all). Beginning with a simple documentation of their everyday actions and the implication of those actions as relates to the internal controls, it is easy to build a case for points of possible vulnerabilities. A simple point would be at the point of data transfer. Where did it come from?, How do we know? Where will it be written to? How many places and where? How will it be accessed? Where is it backed up to? Obviously, verification of the data itself is a whole ‘nother flow chart. Suffice to say, it is often business practices themselves that end up being altered. The desire to make it “easy” for the customer to access or interact with a company, or even to make it easier for employees to do their jobs, is a pitfall that many businesses encounter. Lost customer confidence, legal fees, and SOX/HIPAA involvement are seldom seen as a deterrent until too late.

Of Questions and Choicepoint

In reply to Is Internet security more about asking questions than finding answers?

Asking the right questions will only get you so far. I’ve asked the right questions at companies in which I have worked. We even have answered many of those questions with a more-than-likely correct answer. However, unless they are implemented and tested, it’s fairly worthless in terms of protection. These solutions have to be weighted and econmonic, among other factors, play a part in its priority.

It’s not about whether questions or the answers or the implementation is the most important. What is important is that a sincere and continuous effort is being make to make the system and data secure while reducing customer inconvenience in a cost-effective manner.

Using Choicepoint to make your point is pushing the limit of responsible action. Choicepoint was not hacked. False companies were created. These companies had the correct information. Following Choicepoint’s method of verifying companies were validated by Pingerton’s security audit. In other words, Choicepoint is just as responsible for company verification as Verisign is about their Digital Signatures.

Choicepoint allowed access to this data as they do to all qualifying clients. The difference is that the company that was given this data used it in an act of fraud. When this was discovered, the criminals were deal with and the problem could have been swept under the rug like too many security issues.

However, the state of California requires a letter to be sent to each of the people in question. This is why it hit the news, thousands of people were getting this letter and it caused a good bit of chaos. I doubt asking the right question would have prevented this issue.

root problem

In reply to Is Internet security more about asking questions than finding answers?

You guys are trimming the tips of the twigs with
microtomes rather than chopping off the rotten
limbs or the rotten trunk or the diseased root.

The problem isn’t just the “identity thefts”, and
it’s not just the hackers, and it’s not just that
some company hadn’t secured this data
sufficienty, and it’s not just that they bought
most of this data from various governments.

The root problem is that the governments had this
personal private information in the first place.

That they declared this personal private
information to be “public records” is a secondary
violation.

That they sold this personal private information
is a tertiary violation.

That ClearPoint purchased it and matched data
from multiple sources is a quaternary violation.

That ClearPoint passed it around within the
company is an additional violation. That they
sold the information is yet another violation.
That others obtained the information from them
under false pretenses is yet another violation.
That they then used the information to carry out
more fraud is merely the last of their offenses.

“[W]e may have come to the point of dealing with
information as a substitute for dealing with
people. By juggling data, creating dossiers,
tracking records, we make — or we let machines
make — decisions that determine the course of
people’s lives without ever having to face those
people as real human beings. So it is that the
right of informational privacy — the right to
control the availability & uses of information
about one’s self — leads us back to the right of
privacy in its more basic sense — the right to
make one’s own choices, to maintain one’s
integrity, to be left alone, & ultimately, to
live in freedom.” — Trudy Hayden “Issues in
Personal Privacy” _The Right to Privacy versus
the Right to Know_ pg 16

“Privacy, in my view, is the rightful claim of
the individual to determine the extent to which
he wishes to share of himself with others & his
control over the time, place, & circumstances to
communicate to others. It means his right to
withdraw or to participate as he sees fit. It is
also the individual’s right to control
dissemination of information about himself; it is
his own personal possession.” — Adam Carlyle
Breckenridge _The Right to Privacy_ pg 1

“[Privacy is] the right to control information
about one’s self — when & to whom it shall be
given, & for what purposes it shall be used.” —
Alan F. Westin 1967 _Privacy & Freedom_ (quoted
in Trudy Hayden “Issues in Personal Privacy” _The
Right to Privacy versus the Right to Know_ pg 15)

Mostly…

In reply to root problem

I agree with what you are saying, “We should have control over our information.” I also agree that it goes deeper than hacking. I tried to make that clear in my last post.

I do want to clear up some points. The company is called “Choicepoint” not “Clearpoint”. Choicepoint was a company called Database Technologies also known as DBT (Pompano Beach, FL and Boca Raton, FL [BlueLake Facilities]). They went public back in the early days of the web. They were not on the Internet at that time. Entities connected via dedicated modems through an 800 line. Later, they were acquired by Equifax and formed Choicepoint (Atlanta, GA).

The data they gathered came from public record. Usually, this data was purchased from typical U.S. government facilities just like any other investigator would have to do and just like any other investigator they retain the right to resell this data. The irony is that because they put it into a useful format and made it easy to get a hold of the data, often the same government entities that sold them the data would buy it back from them.

The criminals could have acquired the same information going directly to the government (legally) just like they purchased the information from Choicepoint (legally). However, they used the information they purchased (illegally) and created fraudulent companies to hide behind.

Responding to your accusation of Choicepoint:
First: This was public record. (No violation).
Second: Choicepoint did not declare it public, the US Government did. (No violation).
Third: They sold this data to another party. (No violation).
Fourth: They cross referenced information and they also state that the cross referencing is only as good as the data, etc… (No violation).

Choicepoint a help save over 800 abducted children, save many law enforcement lives, and reduced insurance fraud significantly. The FBI, CIA, law enforcement, attorneys, and private investigators rely on this information. They are not a bad company.

BatmanG8, you are right. We do need more control over our personal information, credit data, etc. It bothers me as well that so much of our information is out there.

A law has passed recently where you can audit information sources such as Choicepoint to learn what the company has recorded about you. Choicepoint had this in place since the day the law was passed. Even if you can?t completely secure your information, at least in the meantime you can learn what other people know about you.

[Author]

Replies