Implications: Expect budget cuts in Security Software and Services by the 3rd quarter of 2008. The prospect of corporate criminal prosecution will bring major changes. Hacker activity is at an all time high and many security products and services have been oversold. Some corporate executives believe the virus prevention firms write most of the viruses. Expect biometrics to start playing a more active role.
Analysis:
Convenience has been allowed to override security; my group has not found one organization that actually password protects their sensitive databases. If individuals do not have to log into databases separately the same is true for their hacker imposter’s. Unfortunately, most users can access sensitive information without needing a second password.
Information theft is a major worldwide problem and new criminal laws are under construction to punish organizations that are reckless in their handing of sensitive information. For example, The Justice Select Committee of the British Parliament has called for a package of new laws including criminal proceedings in the case of reckless or repeated loss of personal information.
Silicon Valley has focused on quick build and third party compatibility instead of security, Microsoft is a prime example. I recently wrote the following copyrighted article for general any legal community distribution:
There are hundreds of computer security products and experts available. Yet, on an almost daily basis, we read shocking media reports about new, large-scale computer security breaches. It is obvious that the security strategies employed in the past are inadequate. What steps can managers take to prevent such breaches? In lay terms, to prepare for computer security storms, they can board the windows, head into the basement, and—ideally--tornado proof the house.
Boarding the windows. Managers should insist that there be separate passwords on all sensitive databases. In many private and public computer systems, if you logon and then have access to a sensitive database, you are not required to separately log into the database. Although you may need a password to initially log on, those databases rarely have their own separate password. Suppose that you previously acquired a virus through web surfing. The virus runs while you run, and that virus can impersonate you. For example, anything you can do manually–send a message, attach a confidential document, or recall a previous message–the virus may be able to do. In particular, the virus can access any programs or databases you normally have permission to use, just as if you were typing the commands.
Heading into the basement. Managers should ensure that their data centers maintaining sensitive data are wary of requests that they send large quantities of sensitive information to offshore locations. When the center receives a request to send data to an unfamiliar address, the safest initial response is to deny the request. Each center ought to have a list of customers and other pre-approved sites to transmit data to. If a destination is not on that list, the center should demand further proof that that site is an appropriate one.
Tornado proofing the house. The best protection against Internet infection is isolation. Simply stated, computer systems maintaining critical data ought not to be exposed to the Internet; hackers are that determined and that savvy. Short of implementing that radical strategy, though, realistically there is nothing that even the most conscientious manager can do to completely prevent the tornado. However, that is no excuse for failing to take simple, feasible steps that could significantly limit the tornado damage. For example, the effectiveness of virus management can be improved; sensitive information should be encrypted whenever it is practical to do so. Will a modest improvement in virus management and encryption eliminate the possibility of security breaches? Certainly not. However, combined with other steps such as adding separate passwords to sensitive databases and limiting the data delivery to pre-approved destinations, it can prevent hundreds of thousands and even millions of innocent citizens from falling victim to security breaches and identity thefts. There is no panacea or magic bullet, but management can perform a huge public service by taking the lead in strengthening American computer security.
© Copyright 2008 Michael Cherry and Edward J. Imwinkelried all rights reserved.
Marketing versus Reality