9. October 2008 by Layne.

Folks I try to stay positive…I try to believe that those who should be protecting stuff are protecting that stuff. I try to avoid sarcasm as I write about certain aspects of security or OPSEC - but I lose the battle sometimes.
Case in point: Did you really think your personal information was protected?
Let me share something I read recently in the Washington Post:

“U.S. corporations, governments, and universities reported a record 516 consumer data breaches in the first nine months of this year, incidents prompted chiefly by hackers and employee theft. About 80 percent of the breaches involved digital records, while the remainder stemmed from the loss, theft or exposure of paper-based records. Some 30 million records on consumers have been exposed so far this year but there is currently no federal requirement for organizations that exprerience a data breach or loss to acknowledge precisely how many consumers nationwide may have been effected. More than 36 percent of the breaches so far this year have been at U.S. businesses, while educational institutions were the second most frequent source of incidents (21 percent).”

516 breaches - 30 million records exposed - 9 months - no reporting requirement

I am at a loss for words. Well, not actually a loss - many words are running through my mind. I just don’t want to put those words on this blog. This is just sick - I need a drink.

Keep the Faith! (even though it can be hard at times)
Revelator

Bad Moon Rising - Creedence Clearwater Revival

Posted in General OPSEC | Print | No Comments »

9. October 2008 by Revelator.

Exerpt from an article I recently read: “Organizations are shifting their focus to the threat posed by insiders and turning their attention to training and data protection, according to a recently released survey. The 2008 Global Information Security Workforce Study, conducted by analyst firm Frost and Sullivan for certification organization (ISC)2, surveyed 7,548 information security professionals worldwide. 51% of respondents said internal employees pose the biggest threat to their organizations. The finding represents an ongoing trend in the past two to three years, as the numbers of remote workers and portable storage devices have jumped in the enterprise, said Frost & Sullivan’s network security industry manager. ‘That increases the chance of something happening, whether it’s malicious employees or just someone with good intentions but walks out of the building with data so they can work at home,’ he said. The findings are supported by Information Security’s Priorities 2008 survey, in which 70% of participants said they are worried about detecting and thwarting internal attacks.”

‘Bout time people start understanding what us OPSEC Professionals have known for quite a long time - unless you are in battle (and sometimes even then), the internal threat is the biggest threat to your organization. I wrote a blog entry on 30 May titled “Welcome to the Jungle” that spoke to this very thing.

From my perspective this isn’t an on-going trend from the past 2 or 3 years - it’s an on-going trend period. And it will never stop. Certainly advancing technology has made it easier for the malicious insider to cause harm but it has also made it easier for our biggest threat - the unitentional insider - to screw up and cause harm. Either through ignorance, lazyness, or simple lack of caring the unintentional insider is the single most devastating threat to your organization. You can attempt to counter this with an aggressive awareness program and constant employee vigilence within the organization but the threat will remain. Understanding is half the battle - now act on this understanding.

Keep the Faith!
Revelator

Insider - Tom Petty and The Heartbreakers

Sample “Insider” lyrics…
It’s a circle of deception
It’s a hall of strangers
It’s a cage without a key
You can feel the danger
And I’m the one who oughta know
I’m the one you couldn’t trust
Yeah I’m the lonely silent one
I’m the one left in the dust

Posted in Media, Program Management, General OPSEC | Print | No Comments »

9. October 2008 by Revelator.

Here are the titles of some articles I’ve come across lately. I haven’t included the full content of the articles but I think that, just based on the titles, you’ll see why I’m a bit concerned…

“Internet Flaw Could Let Hackers Take Over The Web” - I think that if this is true they might not want to detail how this could actually happen - which they did. Yeah, the article spoke very specifically about exactly what the flaw was and how to exploit it. Cool, huh?

“Airports Vulnerable to Attack” - While I suspect we all agree that yes, there are still some vulnerabilities that reality and budget constrains won’t allow us to directly address but this article explained how our airports were vulnerable and how bad guys could exploit these vulnerabilites.

“Billions More Needed to Secure U.S. Embassies” - Well then, please tell me what we need to spend this money on exactly and further I would like to know how not having these things can immediately put these embassies at risk. And while you’re at it go ahead and tell me which embassies are the most vulnerable so I don’t waste my time trying to blow up the wrong one. Anybody want to guess if the article actually did this?

“Research Reveals Patterns of Terrorist Preparation” - While, as a citizen, I am very happy that our law enforcement agencies have found patterns that may tip them off to terrorist activities, I am not real happy that we told the terrorists this. Seems to me that Terry Terrorist might begin to change his/her tactics and prepare for their activities in a whole new way thereby negating the intelligence advantage we had until this article came out.

Folks, I’m no arbiter of what is right or wrong to put into print and I have no educational background to argure the public’s “right to know” but as an OPSEC Professional it just seems to me that we are making waaaaaaaaaaaaaaaaaaaaaaaaaaaaay too much sensitive information available. For those of you out there actively practicing OPSEC, this is just one of the reasons you need to do Open Source searches on your own organization. It’s always good to know what the bad guy already knows about you - then you can focus your protection efforts on what is not known and you can also be proactive about dealing with what is known about your organization, mission or specific activities.

Keep the Faith!
Revelator

Bring The Noise - Public Enemy

Posted in WWW, Media | Print | No Comments »