November, 2009

Ownership of What????

Every now and then, some outfit does something so embarrassing, my first response is one of horror, then incredulous laughter, followed by a sense of great relief that it wasn’t my company.

I read the Digital Transactions magazine on a regular basis; it’s a good read covering the credit card and electronic exchanges of all types. But I will forever remember them due to this cover. It certainly made picking up my mail exciting; I spilled my coffee on the floor.

I’m happy to say that it is corrected on their website, but I have no doubt that someone is either out of a job or has had their proof-reading skills relegated to somewhere beneath the ocean.

Far, far beneath the ocean.

It just goes to show you that using spell-check and grammar-check will NOT save you from embarrassment!

Belly-Laugh of the Day

A co-worker of mine came across a slide-show on cio.com (of all places!) on vintage technical ads.

How one ad for Daisy guns got in there, I’ll never know, but it does fit in well (believe it or not) with the overall theme. And the comments next to the slides had me ROTFL (Yes, I know, I couldn’t help it - Rolling On the Floor Laughing).

It’s absolutely amazing what people came up with to advertise, including some not so “Politically Correct” items that made me thankful we have progressed as a society. When I wasn’t laughing really hard.

You Can’t Outsource Reputation

Reviewing yet another data breach in the news, I was struck by the phraseology of the news report. Specifically, the article on MassMutual brought a point to mind that I keep using with companies and organizations I work with: You can transfer risk, but you are still responsible for your data in the public eye.

Reading the article, I was struck by the fact that nowhere in the article was the name of the third-party vendor mentioned. MassMutual is taking it on the chin (and quite defensively, I might add) because, ultimately it is their data. They picked out the third-party vendor - I wonder how good their contract with the vendor is.

And the parties affected by this breach? Their employees, and their families.

The company announcement: “The vendor engaged a highly respected forensics team to investigate, and at this time we believe that no misuse of the information or fraudulent activity involving the data has occurred,” is disingenuous at best. We looked, but found nothing right now - so everything is OK!

Here’s the reality, however:

According to a recent report published by Javelin Research, (for which you must pay $1250.00, so you won’t be seeing me offer THAT as a download) individuals whose personal information has been compromised in a corporate breach are four times more likely to suffer identity theft or fraud.

This result runs contrary to MassMutual’s defensive statement, and is very commonly used from breached companies, who often state that they have no indication that the compromised data has been used by criminals.

No vendor name, no information on how or when it happened, but trust us, your data is fine!

Things You Can Do To Help An Investigation, Part II

In a previous column, I talked about the importance of locking up a computer and not continuing to use it after it has been compromised, or the fraudster was fired.

This works in a lot of situations, but there’s also situations where it’s NOT the best thing to do. If you know a computer has been compromised by an external entity, the best things to do are:
1. leave it on,
2. don’t let anybody use it, and
3. call your experts in.

Why leave it on? There are things running in memory that won’t be captured if you shut it down. Remember that you lose everything that’s in RAM, as well as network connections and processes running. It’s critical information if you want to find out who is doing it, and how they’re doing it.

Don’t log into it to “see what you can find out.” In some cases, servers get hacked, and admins tend to log in to “fix it.” As I noted earlier, Sometimes they reboot the box to “clear it out.” There goes all your information, and very probably the ability to at least find out how it was done so that you don’t restore the box to the same “hackable” condition.

Don’t have experts you can call on, that you know are good? That means you’re suffering from the ostrich syndrome. The time to build relationships that can help in a crisis is not during the crisis. Do yourself a favor and at least research the mostly likely people you’ll need to get the job done.

A Not-So-Great Use of Cloud Computing

As I’m sure you know, I’m not yet a big fan of “cloud computing,” known by various acronyms. I have yet to see a really comprehensive approach to audit and security. Ultimately, you don’t know where your data is in the “cloud.” And the Feds have access to it without a warrant.

So you can imagine my dismay when recently reading someone’s suggestion that the shared computing power of the “cloud” could be used to crack encryption algorithms ever so much faster. How will we address this risk?

The risks of audit and control issues, physical security and secure storage of backups, in my mind, outweigh the over hyped benefits. When I see a strong standard implemented by “cloud” vendors, subject to outside independent verification, I’ll get to wow.

Not until then. Where’s the beef?