Ianuzzi's Security Perspective

The ability of most people to ignore the elephant in the room knows no bounds. Today’s security elephant has got to be the laptop.

When I ask most executives about laptop use in their companies, they are usually very quick to assure me that they are few and contain no sensitive information. Their employees seldom agree.

I am not sure where this reluctance comes from. Perhaps it is the fear of truly finding out that they don’t control the information in their operations or maybe they believe that securing these pesky little machines is not really possible. Whatever it is, they would rather risk seeing their companies listed on the wall of shame than confront the issue.

In the weeks to come, we will continue to read news about companies who would rather leave it to chance.

My garage door opened by itself a few weeks ago. An air show was in progress at the time and I concluded that signals from a military aircraft had overwhelmed the receiver. Still this was not a good sign.

Up to this point, I had never given much thought to the garage door situation. A quick check revealed that cloning a door code is simplicity itself. If that wasn’t bad enough, it is possible to open many doors by inserting a tool at the top center and snagging and pulling the emergency door release cord.

Units equipped with a rolling frequency system are available and will prevent cloning. Removing the pull cord from the emergency release will solve the second problem.

A week later it happened again and I discovered that it had been caused, both times, by my wife rummaging in a kitchen drawer which contained another remote.

I am relieved that I don’t have the problem I suspected but looking at the issue reminded me of the dismal lack of effective security in most homes.

A recent article in the Washington Post predicts that computer crime will rise in 07. This comes as no surprise to most of us. While we can pursue our part of the endless arms race by designing better systems, and vigorously improving the ones we have, We need to remember that this activity is increasing BECAUSE IT WORKS! The crooks get money.

Our only real defense is education. We need to spread the word not only within our businesses but to our friends, families and neighbors This activity will only stop when it doesn’t pay.

Inaccurate third party billing, passed on by telephone carriers, is called cramming, most of us are familiar with schemes involving 900 numbers, unordered services and similar issues.

Recently, my company was crammed by an internet advertiser. This was my second experience with these folks

While resolving the problem, I discovered that others had reported similar experiences.

I called my phone company to alert them to the problem. I expected a concerned response. After being sent to several different departments, I was told that I could make a complaint to the Federal Trade Commission.

Resolving these problems takes a great deal of time and effort. Long waits for customer service and trips to the Post Office to send certified letters are par for the course. It is often less expensive to pay the bill.

If utilities are not able to directly resolve complaints involving the charges on the bills they send, we need legislation to end, or at the very least, impose strict controls, on the practice of third party billing.

A Harris Interactive poll shows that 61% of business executives are worried about compromise of corporate information systems. That shouldn’t be too surprising considering that without these systems, most companies are effectively shut down.

In spite of this, when limited budgets force choices between protecting confidentiality of information and business continuity efforts, Confidentiality usually wins. This isn’t surprising when you consider that information breaches are more likely to bring intense public and regulatory pressure to bear.

What is unfortunate is that many companies look at business continuity as an all or nothing effort. Faced with a shortage of resources, plans are deferred.

Inexpensive stopgap plans, which provide for the most damaging aspects of the most likely risks are a better idea. Not only can they provide some protection, but they can also serve to focus continuing attention on the issues.

If a bag of flour were exploded in your kitchen, covering every surface with fine white powder, could you walk out of the room without carrying any trace of the flour with you. It is virtually impossible. We face the same problem designing information security systems.

Information by itself is usually static but add people and it explodes onto networks, laptops, USB drives, PDA’s and even (heaven forbid) paper. You can’t secure it until you figure out where it actually is.

This is probably the largest challenge in Information Security.