Forwarded from: Mark Bernard <Mark.Bernard@TechSecure.ca>
Dear Associates,
fyi.... I think the biggest fear here, is that incident after incident
leaves more and more private information out there floating around for
someone with the right resources to accumulate for future use. After
all, every hardened criminal knows that there's a cooling off period
of several months before the merchandise can be moved or used, but yet
industry and government can't stop the bleeding of information.
Some might like to suggest that the tapes are gone and we'll never see
or hear about them again. However, if you ask any Law Enforcement
person they'll tell you that most crimes are perpetrated because the
criminal has two advantages, opportunity and time. Based on that fact
we have to ask ourselves during our risk management efforts, what have
we done to take away time and opportunity? It would appear that in
some cases nothing....
And to think that we haven't even begun to address the hardened
criminals who make their own time and opportunities. Who deliberately
seek out weak links within our risk management chain of custody to
exploit them.
Every time the same company losses data again and again they get more
attention by Cyber Criminals. After all the message that the company
is sending with multiple information losses is that they are either to
big and incapable of moving quickly enough to shutdown the
vulnerability or completely incapable of shutting it down.
As for the technology factor, well there are lots of used systems for
sale that can handle compressed data. As for encryption, well the key
to cracking encrypting is publicly available over the Internet. So
you see its a matter of developing a sound strategy and integrating
effective risk mitigation techniques based on your specific business
needs.
Time and opportunity is all that it will take and there will be more
news articles like this one..... its currently unavoidable! The only
question that we can't answer is who's company will be next and what
will be the final result of their losses?
======= beginning of excerpt =========
Iron Mountain Loses More Tapes
http://www.informationweek.com/story/showArticle.jhtml?articleID=165701015
By Steven Marlin
InformationWeek
July 8, 2005
City National Bank has become the second company in two months to
experience a loss of backup tapes in transit by Iron Mountain Inc. The
Los Angeles-based bank disclosed Thursday that two tapes containing
sensitive data, including Social Security numbers, account numbers,
and other customer information, were lost during transport to a secure
storage facility.
The bank said the data was formatted to make the tapes difficult to
read without highly specialized skills, but declines to say if they
were encrypted. It said there's no evidence that data on the tapes has
been compromised or misused.
======= end of excerpt ===============
Best regards,
Mark.
Mark E. S. Bernard, CISM, CISSP, PM,
Principal, Risk Management Services,
e-mail: Mark.Bernard@TechSecure.ca
Web: http://www.TechSecure.ca
Phone: (506) 325-0444
Leadership Quotes by Kenneth Blanchard: "The key to successful leadership
today is influence, not authority."
_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.
www.blackhat.com
