Thursday, December 23, 2010

Can service provider take you down?

And I don't mean just your ISP but all the providers of services to you.


Just a couple of weeks ago, Walgreen and McDonald's both revealed that data breaches at partner marketing firms had exposed customer information. I got one of those letters from the mailmen myself last Friday. 


All signs point to "spear phising" attacks against email marketing firms that has been going on for a few months. This brings up a new situation that CSO's would unlikely have foreseen. 


3rd party email marketing firm are usually chosen and contracted by the Marketing Department. I doubt IT and Security Officers would be involved in the selection process. But when a data breach such as this occurs, CSO is now charged with the clean up.


The medical industry has a process whereby service providers have to undergo security and compliance training. While there is no certification process for these 3rd party providers, they do need to conform to certain standards.


Can a corporation hold its suppliers to these security standards? Does your agreement hold any clauses regarding information leakage. This need to go beyond just NDA's. You should take this into account at your next security procedure review.
 

Thursday, December 9, 2010

Wake up call from Wikileaks

The damage that Wikileaks caused is far more than just the leakage of classified information that governments all over the world do not want us to know. It also contains embarrassing information and behind the scene dealings that would have been best kept under wrap.


Stopping Wikileaks is even worse. It mobilized the under estimated group of social activists who are looking for a cause to raise havoc with establishments. Who would have thought that these people would be willing to self inflict with malware so that Denial of Service Attacks can launched from their own computers. That really is no different than a suicide bomber willing to destroy its own life or equipment to cause damage to others. Only difference is that equipment is cheap and can be replaced, while human life is not.


At this time, it is still too early to find out who these attackers are. Are they truly acting "for the cause" or are they just causing trouble for trouble's sake? I guess there are both.
As a private sector organization, should we be concerned with this?


I believe so. There are always others who do not agree with us. Whether they are willing to take these drastic actions is a matter of the level of animosity against us. But Wikileaks sympathizers have shown how easy it is to launch cyber attacks against a target. And there are plenty of willing participants with their own sense of self-righteousness.


Large organizations like Visa and Mastercard have adequate resources to partially stop these attacks, but how would a smaller organization responds if this happens to it?


Wikileaks has shown us two things: external cyber attacks live on at a fast and furious pace, but the long overlooked internal data leakage prevention is what caused this outbreak in the first place. 


It is time we look within our organization and revisit the importance of tightening information access. Every employee within the organization should also be aware of how damaging certain information can be. 


I'll follow up in my next blog with an actual incidence that happened to a small organization that I know and the damage it caused.