There is no doubt that a lack of security awareness and focus in the corporate world is still far from where it should be.  From a business perspective, it is like insurance, how much do you need for the risks.  While TJX got caught without enough (as did many others), the risks resulted in fines.  Individual consumers didn't seem to mind all that much and continued to shop there.

Like most problems, there is never a single-sided solution.

Corporations do need to step up, and some have, and integrate security into their framework.

Schools need to incorporate security administration into their IT curriculum.  It is not enough to educate individuals on how to administer Active Directory, but how to do it securely.  Too many IT folks don't understand the basics of security risk to even think in this manner.

Data is only on valuable if it can be used for gain.  Criminals don't go after data just for the sake of knowing it.  It must have a use.  If we implemented more protections on how data can be used we could better prevent misuse.  Social Security Numbers and credit cards are too easily used by unauthorized individuals for malicious purposes.

In the case of credit cards, we would go a lot further in de-valuing the credit card number than spending billions to protect it.  Requiring a standard online payment framework that required a PIN be entered (and please not a 4-digit one) would go a long way.  If credit authorities also had lockout procedures after a specific number of events (sound familiar?) that would help to. 

As for home users, we need to provide operating systems that are more secure out of the box.  Changing settings to lessen that security should alert the user to the potential vulnerabilities.  All systems should come with a security resource DVD that provides video presentations on security awareness topics that affect home users.

You are right, there will always be people trying to break through the security of systems.  We do need to make it more difficult for them to do so.  As long as we're relying on technology, however, we will always be engaged in this endless battle.  I don't mind it so much since that is half the fun, not to mention job security.

J

 

 

Very nicely written sir.However your Response is very similar to the Bush Administration's response to Global Warming and cutting Emmissions-whatever we do,the Chinese and the Indians will anyways generate more emissions than us!!

I prefer a policy of proactive education in Schools where basic IT security skills can and should be taught.We have to start somewhere,and schools are as good a place as any to create awareness on Security Issues and the sanctity of Data.

Lets face it,websites like Internet Evolution and Computer/Network World do a good job,but these are not really the kind of websites which School going Kids are likely to frequent.

A good deal of Basic Security is not that hard to understand and todays Social Networking Generation is anyway very fast and extremely knowledgeable with Technology.I started something similar for my nephews(just a simple PDF sheet of One page  with Dos and Donts which they stuck on the wall next to their PCs) and the cool thing is since then they have less than half the trouble with Malware and Viruses than before.(Basically before I used to get a phonecall once a week,now its like less than once a month...)

 Will this solution work for everybody?Not really,thats where we need to adapt Security Policies of our respective Organizations according to their varying needs.

 Still,its great to hear that people have such strong and interesting views on this subject.

 

 

 

 

 

 

 

 

We don’t need the cavalry; I think to start, we just simply need some crowbars and some Vaseline. Let’s start w/ the 55 gallon drum. Yeah, that’s it (settle down now); these tools, along with some assistance, could help some of these pathetic people that are in power in corporate America (a.k.a. “the managers” Dunt dunt dunt dahhhhhh) in prying their heads from their @$$e$ (I like the dollar sign symbolism…don’t you?)! These are the poor (as in intelligence), greedy, pathetic souls suffering from “cranial rectivitis” (a.k.a. head up the @$$) who are skirting, skating and skipping around the mahogany & leather clad offices throughout Retard-O-mis-manage-America, making the executive decisions to NOT secure their I.T. infrastructures, especially GDF (<- vulgarity) wireless technology or EVEN make attempts at it (ahem…by spending some $!). It appears that some of these breaches are the result of weak or NON EXISTENT (oh wtf, we don't need to encrpyt credit card numbers as they fly through air - do we?) security measures: http://www.networkworld.com/community/node/30779 , excerpt below:

“The indictment doesn't go into details on how these retailers apparently almost invited these attacks: that's certainly the case with TJX, where WLAN security was almost non-existent. And apparently still is appallingly slack in the retail industry: early this year, wireless security vendor AirDefense reported on its own New York City war drive, which found that one third of the 800 stores scanned had no, zero, zip WLAN security, another third had only weak protection.”

Security is one thing, GOOD security is another; and being stupid, lazy, pathetic and greedy is quite the opposite.

Data security! Yeah.....right! Ever since the insurance companies decided that data had intrinsic value, crooks, scam artists, and their ilk have come out of the closet by the thousands. They have a feeling/thought that if they could acquire/amass/conquer or whatever through use of said data, then their otherwise pathetic life might be somehow enhanced or even better, they would become accepted, liked and maybe even acquire a significant other not to mention some fame and fortune. Faced with this type demeanor or child-like behavior/thought process, what chance does the non-IT savvy person have? None, I'd say. What about the IT savvy? About the same because we all know that any IT person is going to go all out to make sure he/she can't be hacked, phished, back-doored or anything else which leads to overkill along with a missed tweak here, an un-plugged port there, a missed IP, or whatever! You can stay on top of all the latest apps, firmware, threats, etc and still be no better off tomorrow than you were today before you went through all that trouble in the first place. During the beta testing for CompTIA's Security+, a disclaimer was placed very prominently at the first of the material stating that security measures are not an exact science due to the rapidly changing technological landscape and therefore should not be looked upon as rigid set of rules, but merely as guidelines or a starting point from which to build. The Certified Ethical Hacker certification is another example of a way around security measures because it teaches just that. How to! Since there are no legal requirements/restrictions for this certification, anyone can take the course which opens a whole other scenario. Once you have the basics you can create your own form of security chaos. We thought kiddie scripters were bad back in the day but these new players have found ways to swarm over us like so many maggots looking for dead flesh. What we might think of as worthless data, they will find it to be as gold. Data lives on in spite of our best efforts and as long as it's there, someone else will always want it and do whatever it takes to get it. Secure as best you can, remain calm, the cavalry is on it's way!!!!!!!

Terry:  Careful reading of the indictments of the TJX perps show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. TJX was not as bad as we were led to believe. --Ben  http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html

Seinfeld: "NEWMAN !!#$%!"

I.T. Security guy: "WiFI !!#$%!" - http://www.internetevolution.com/messages.asp?piddl_msgthreadid=194743&piddl_msgid=161844#msg_161844

Yes, Mr. Roques, and the average user can be had for the price of a chocolate bar.

We have nothing to fear but fear itself, and an end-user with low blood sugar.

One of my favorite sites that tracks these exposures is Privacy Rights, who track these sorts of exposures:

http://www.privacyrights.org/ar/ChronDataBreaches.htm#2008

I have the link set to just start at 2008, but you can scroll back for years. I use this site to show CEOs/CIOs, managers, business owners and Joe American just how big this problem is. The big 33 million exposure incidents hit the news, but look at how many incidents there are in total!

When I give a security presentation I ask for a show of hands, "Who here has ever gotten 'The Letter'", as I hold up the letter I myself received as a result of the VA breach. I rarely am the only one holding up my hand.

Even the (Greek) Gods fight stupidity without success. 

After all the security, encryption, firewalls, antivirus, proxies, etc, etc... we can't leave out the human factor: "Laptop with data about 33,000 Clear card applicants lost at SFO."

As I had mentioned, people are the easiest tool to crack a "128-bit password"