Search in ISMS Guides

Google
 

Monday, August 6, 2007

IT COULDN'T HAPPEN HERE....COULD IT?

Every issue of The ISO17799 Newsletter features at least one TRUE story of an information security breach and its consequences:

1) Confidential User-Ids?

Organizations rightly stress the importance of password confidentiality. Some also urge staff to select sensible passwords, which cannot be easily guessed or calculated.

Sometimes this is not taken as seriously as it should be, as individuals believe that, for example, a password of Sept2003 simply isn't going to be guessed by a perpetrator within the maximum number of input attempts allowed.

However, exposure doesn't always work like this. One breach occurred because the perpetrator discovered the format of a firm's user-ids (company code followed by 3 initials and a single digit number). He then reverse engineered the process: He selected a password similar to the above (eg: June2003) and then tried this password once against hundreds of combinations of user-id initials. The net result was that the accounts were not closed because each only had one invalid attempt. Eventually he hit a user with that password. He wreaked havoc.

2) When is Disposal is Not Disposal?

Secure disposal of computer media is by now a fairly well known requirement. It is widely, although not universally practiced.

The history of information security, however, is littered with examples of disclosure through uncontrolled disposal. Stories of competitors, or their agents, retrieving old diskettes/CDs/listings/etc from garbage bins are rife. However, there are plenty of other routes:

a) Not too many years ago a network was uncovered which specialized in the recovery and sale of corporate data. One of their methods was to purchase old tapes and diskettes from large companies and then restore the data using their own recovery software. This was then discretely offered for sale to selected competitors!

b) A more recent example along the same lines: On this occasion the perpetrators tracked the disposal route of a computer engineering firm. This firm was responsible for the maintenance of peripherals and routinely replaced the faulty media of their clients. Sadly the hardware fault was not always terminal for the data stored.

Although many of the customers had excellent disposal procedures in place, they had not covered this eventually. Their data as exposed as a result.

From : 17799-news.the-hamster.com

No comments: