Friday, November 21, 2008

I was right!

Allen does the dance-of-I-was-right...

*ahem*

In my blog in July, I predicted that we would be seeing a perfect storm as cyber criminals start to see diminshing returns on PII (credit card info, mothers maiden names and the kind of things they have been going after up until now) and thus start looking at the business information that they have been ignoring.

According to usatoday, internet thieves are making big money stealing corporate info.

"Elite cybergangs can no longer make great money stealing and selling personal identity data. Thousands of small-time, copycat data thieves have oversaturated the market, driving prices to commodity levels. Credit card account numbers that once fetched $100 or more, for instance, can be had for $10 or less, says Gunter Ollmann, chief security strategist at IBM ISS, IBM's tech security division."
As I said in my original article - the only problem with this is the establishment of a market. The cyber-criminals have established a very viable underground trading system but they now need businessed to want to dip their toes in something that is highly illegal. It seems this is happening.

The scary thing is how much information is actually being pulled out of the organisation. The criminals are literally dumping everyone's My Documents directory with no real aim to a storage facility outside of the organisation and yet the companies are not aware of this.

My advice? Take measures now while the enemy are just getting established. How you manage to protect your employees' and customers' PII will determine how well you survive the next part of the battle - your company secrets.

Also, don't be tempted to get information on your competitors from shady people. They may just be doing the same thing to you.

PS1: (PII = personally identifiable information - anything that can be linked to a person and is usually stuff you don't want the public to know like your credit card details, address, salary, health, etc)

PS2: Thank you to TaoSecurity for the story. Read

Friday, November 14, 2008

Talking Engagement

So, it finally happened. I was invited to talk at an Information Security Conference and I went and talked.

My talk was about the risks of information leaving the organisation but I decided to add in the risks of information not leaving the organisation.

This may sound counter productive but in these though times your IT department should really be looking at using services such as GMail, your Marketing department should be looking at using Facebook, Twitter, Blogs etc. Your HR department should be looking through LinkedIn for new staff.

If your Security Department is too tough on information leaving the organisation then you are missing out on opportunities. Of course, if you are too lax then information will make its way out and that can't be good for the company either.

Information Classification is key. As is awareness.

My speech was very well received, achieving over 8/10 for the different areas and I have been invited back to speak again.

I must admit that my speech was aimed at business decision makers and not technical people and yet the people who showed up were more technical people. There are very few companies in South Africa (with my employer being a noted exception) that treat Information Security as a business issue and not (only) a technical issue.

I'm not really one to tooth my own horn but I wrote this blog entry to thank a number of people who made my speech possible.

Firstly thank you to the two blogs that I feel are on the forefront of Information-centric Security - Securosis and Rational Survivability. I used some material from both sites and some that was sent to me by Richard Mogull from Securosis.

I used some speaking tips that I got from Presentation Zen so I didn't put everyone to sleep (even though my speech was at the danger time of 3:30pm when everyone is tired and wants to go home) and I used some (free!) graphics from Stock Exchange.

When I was preparing for the speech, I revisited some of my old Blog posts which I think I need to repost as I have some more ideas about them.