“I’d just like to say that tomorrow is my brother’s birthday. Lieutenant Colonel John Smith, of Oshkosh, Maryland is 50 years old.”

It’s interesting to note that we have a fair amount of info for piecing together… identity theft:

Name
Rank
Date of Birth
City and State

If you think this is being a little paranoid, remember this saying: Just because you’re paranoid, it doesn’t mean no one is out to get you. The real trouble here is the efficiency involved. It’s one thing to mention this information to a small group of people – perhaps some of whom you don’t know well. It’s quite another to divulge this information nationally, to millions of people (and that is this particular show’s audience numbers).

With a little diligence, an identity thief can cruise past this person’s mailbox, and steal even more critical identifying information. As a start, the info above is enough of a foundation to make that cruise a good investment in time. Also, “spoofing” then becomes more easily leveraged; the contact of this person, either via e-mail, USPS mail, or even in person.  One example is a spoof whereby someone poses as the representative of a veteran’s organization, and asks to “verify” information:

“Hello Colonel Smith, we have your city and state as Oshkosh, Maryland – is that correct?  Thank you.  We also have your date of birth as 12/16/62 – is that correct?  Would you please provide your Social Security Number for verification?  Thank you Sir.”  You get the idea.  It happens quite frequently.

The newscaster could have said, merely, “I’d like to wish my brother a Happy Birthday… tomorrow is his birthday” – and left it at that. However, if it were me, I would say nothing. In the first place, a national news audience doesn’t particularly care, and while the mention “on air” might please his brother, it’s really not worth it. It’s not that big a deal in personal terms – being that it’s likely that a phone call will be made (or can be made, in lieu of the on air greeting) later.

It’s time to think very carefully about what you do: What you reveal; to whom; where; and when (are others nearby who can overhear? Online – are systems truly secure?).

In divulging personal information, regardless of the reason, always ask yourself:  Is this something that I have to provide? If it is truly necessary, is this the superior way to do it?

What this newscaster did is fine… for the ‘50s, ‘60s, ‘70s… etc. – maybe. But in today’s times?

NO. WAY.  Be careful out there.

In addition to security concerns – that is, the controls and monitoring necessary to ensure data and resources are breached and corrupted, exposing individuals/the organization to harm – there exist legal and ethical reasons for protecting these things.

Naturally, Identity and Access Management (IAM) procedures and related policy is key and central to protection.  Enabling users to access data and resources securely, appropriately, and with full knowledge for appropriate use (often overlooked – training) isn’t just a goal of IAM – it is the whole of it.

Your organization must strive to remain within best practices regarding IAM – and in so doing, the IT leader, allied vendors, and savvy business leaders must stay abreast of emerging standards and vet them for incorporation to their environments and overall security policies and plans.

Of particular interest to me are robust credentialing systems that allow entrée to several, perhaps a dozen or more, discreet systems, whether those systems are within the physical control of the organization, or scattered amongst vendors and other allied agencies that have granted access to portions of their environment and assets. 

Gone are days of faith in a simple Single Sign-on, with breach of an ID and password granting access to all manner of allied systems.  The ultimate is an ID and password solution that forces security questions and answers, with subsequent splay of discreet (for each system) randomly generated IDs and passwords, with special keys, for transmission to systems with appropriate handshake – all transparent to the user.

If you’re examining security and IAM (and you should be):

-      How do you currently link physical and electronic identities?  Are you comfortable with your present authenticating system(s)?

-      What can you reasonably do to create stronger links between physical and electronic identities?

-      How do you verify other agency’s electronic identities?

-      Are your IAM products, processes and policies flexible; both in accommodating evolving roles and in general longevity for emerging and new best practices?

-      Where is the optimal balance of effort between managing strict IAM and simple utilization of commonly distributed, wide-access, resources?

-      What accommodation does your IAM strategies and policies need to make for single sign-on, etc.,  with externally hosted and cloud-based applications and resources?

August 30^th:  On this day in 1797, Mary Wollstonecraft Shelley was born in London, England (author, Frankenstein)