By now, most of the people in the security field have become aware of near foolproof means of bypassing pin tumbler locks and the like using a special key and hammer. My naive thought was that once the new method would come to light, the art of lock picking would soon fall by the wayside.
Furthermore, particularly in information security circles, people mostly lose sight of the need to address physical security as a means of ethically penetrating a client's infrastructure. To this end, I encourage information security pratitioners to expose themselves to lock picking as a means of increasing concentration, and solving puzzles. Whether it be a door to a server room, or a lock protecting a rack of servers, having a basic understanding of how locks work and some general techniques to defeat them can make all the difference in the world.
Thursday, April 8, 2010
Tuesday, April 6, 2010
Data Disclosure and Compensation
I was recently thinking about the data disclosure breach of 3.3 million from ECMC, and as I read the article, I was becoming increasing disturbed about the lengths that companies that sustain a data breach are taking to compensate the victim. It seems as it is customary to send a letter to the victim and offer one year of credit monitoring services. This is garbage in my opinion, as many of the victims are already under a credit monitoring service from some other company and their data breach.
We are quickly heading towards two unique tipping points:
1) Credit monitoring service is not retributive justice for the violation of one's private, personal data. Sure it stings the company bottom line, but chances are, this is in a cash account just waiting for the day it may need to be used. The real victims are the one's whose data is stolen, kicked around, and ends up who knows where. So we give the victim the equivilent of a carnival prize. "Thanks for playing."
2) It appears that the information security community places a high value on private (PII) information. We spends trillions of dollars protecting 9-digit SSNs because they can easily be paired with a name as the basis of identity theft. What if we devalued this information, instead of throwing everything but the kitchen sink at it to keep it secret. Maybe it is biometrics, or maybe it is some form of smart card. I don't claim to know the answer; however, we should consider all options to protect the identity of the victims and potential victims, not the random bits and bytes that identify us.
I would be interested in hearing others' perspective on these points.
We are quickly heading towards two unique tipping points:
1) Credit monitoring service is not retributive justice for the violation of one's private, personal data. Sure it stings the company bottom line, but chances are, this is in a cash account just waiting for the day it may need to be used. The real victims are the one's whose data is stolen, kicked around, and ends up who knows where. So we give the victim the equivilent of a carnival prize. "Thanks for playing."
2) It appears that the information security community places a high value on private (PII) information. We spends trillions of dollars protecting 9-digit SSNs because they can easily be paired with a name as the basis of identity theft. What if we devalued this information, instead of throwing everything but the kitchen sink at it to keep it secret. Maybe it is biometrics, or maybe it is some form of smart card. I don't claim to know the answer; however, we should consider all options to protect the identity of the victims and potential victims, not the random bits and bytes that identify us.
I would be interested in hearing others' perspective on these points.
Subscribe to:
Posts (Atom)
Posts
