I love it when the NPR Cartalk guys – Click and Clack – give the closing credits of their show each week and credit their law firm “Dewey Cheatam and Howe” along with their other various pun-derific service providers and sponsors. Besides bringing a smile to my lips, the name is a constant reminder to me of how you can be getting robbed right before your eyes and not even know it.
One of the benefits (occasionally, co-workers would say a curse) that I received during my tenure leading the IT services practice of Bridgepoint Consulting in 2006-2007 was gaining a healthy respect for systems security, compliance, and IT general controls.
Not that I’m any better than the next person in securing my day-to-day personal and work IT assets; but, you might say I’m a bit more likely to browse the headlines concerning security issues than my average colleague. With that in mind, what follows are a couple of headlines that have caught my attention recently.
There’s a great article by the BBC that describes how bad guys are increasingly operating like small business. I love the quote by the Cisco security researcher when he talks about how “One of the most important themes for a business is customer acquisition.” He then goes on to document how the hot memes and search terms of the day, combined with web 2.0 mass communications platforms like twitter and Facebook, make for a major boon to online criminals.
The moral of the BBC article: it’s all about knowing who it is you are dealing with and, for the moment, the easiest way for the average Joe or Jane to ensure the authenticity of the party on the other end of communications is by using a digital signature. If you are a MS-Office user, like much of the business world, then you can read all about activating a digital signature from Microsoft.
Moving on from signatures to other forms of identification (or ID), I found this article in InformationWeek about the increasing ease of cracking American social security numbers (or SSNs) a good reminder of the need to rely on multi-factor unique identifiers to protect one’s privacy. Since basic identity theft normally relies on the three essentials of ID – SSN, name, and date of birth – this article is a rude awakening.
In the article, it describes how a research team was able to predict SSNs with 60% accuracy after 1,000 attempts, among those born recently in small states. It goes on to describe the staggering potential street value of credit cards obtained using swiped identities, by deploying a large botnet. We’re talking hundreds of thousands of dollars per hour! Definitely enough to persuade your average criminal into a hiring a couple of ethically ambiguous computer science majors.
So, with all of this risk, what does one do? My experience, and what I’ve repeatedly seen advised by the security professionals, is to create a layered approach to security. As with all things, stay informed about the latest recommendations, like this Top 20 security controls list from ZDNet.
An industry colleague, Susan Scrupski, is fond of offering the simple rule “blog smart” when asked what the policies ought to look like for well-run online communities. Co-opting that rule for purposes of security, I would “compute smart” when it comes to conducting your business and personal interactions online.