This page contains a Flash digital edition of a book.
“WEAK PASSWORDS WERE THE REASON FOR 50 PER CENT OF DATA BREACHES. BETTER NOT TO HAVE A PASSWORD THAT CAN BE STOLEN IN THE FIRST PLACE.”


a partner at National Public Relations who specializes in media crisis management. It means reacting quickly and driving the media coverage rather than reacting de- fensively to allegations as they break. He says most people are “fairly under- standing” about mistakes as long as there isn’t wanton negligence. Dealing with it isn’t “rocket science” from a PR point of view, says Bornstein, but there are always clients who resist advice because the first instinct is to go into lockdown. But being transparent doesn’t neces- sarily require a media release. Bornstein says, “You can contact those involved di- rectly by mail or send e-mail or even auto- dialer phone messages. And advise those affected to simply watch their accounts for unusual activity.”


The prudent move, he adds, is planning for a breach and having a contingency fund. “Offering credit watch, for example, [costs] something like $10 a month but when you have 20,000 names, it adds up.” For Bornstein, the most important as- pect of dealing with a data breach is the in- ternal communications, and what protocol


is in place to escalate the notice to the CEO’s office immediately so that top-down authority makes resolving the issue — or at least deploying resources according to plan — an organizational-wide priority. Still, the best way to deal with a breach is not to have one, says Dr. Cedric Jeannot, founder of iThink Security, a Waterloo-based provider of encryption technologies to small and medium busi- nesses. For him, that means getting serious about security.


“For a company like Research in Mo- tion, for example, security is their business and they take it seriously,” he says. “Not everyone does.”


Of course, any system can be bullet- proof — it just won’t be easily accessible to authorized users. But as the cloud be- comes mainstream, creating more secure systems and educating users will mean calling in the specialists, outsourcing data management, or at least, contracting with a security system provider, like iThink or ActivIdentity.


The latter supplies more than 2,500 en- terprise, online banking and government


organizations with authentication and cre- dential management solutions. The Silicon Valley-based company has 23 million users globally, among them more than 100 military and government agencies where security is always “Job 1.” Chris Harget, senior product marketing manager at ActivIdentity, believes the RSA hack, which purloined the secret sauce creating the constantly changing security code, which in turn led to the disruption at Lockheed Martin, was embarrassing be- cause security is their brand.


The mistake, says Harget, was not enough safeguards to detect or stop snooping once the hackers got in the front door. Once inside the system, it’s a matter of determination to find the user directory and escalate access privileges. This type of “advanced and persistent threat” is what’s faced by every corpora- tion today, he says, and not just from or- ganized crime, noting China, for example, is known to be actively snooping around to access trade secrets to boost its own industry.


When all is said and done, the scary part is that data breaches are not only caused by wily hackers, but also disgruntled em- ployees, staff not taking corporate security policy seriously or people who are just un- aware of their actions (or lack thereof). “Weak passwords were the reason for 50 per cent of data breaches,” Harget says. “Better not to have a password that can be stolen in the first place.”


Ian Harvey is a freelance writer in T oronto, Ont.


June 25: LulzSec an- nounces its re- tirement, saying it’s been a great ride for 50 days.


July 12:


Anonymous hits U.S. government con- tractor Booz Allen Hamilton and re- leases log-in details of military and Homeland Security personnel.


July 15: The CIA’s website is taken down by LulzSec.


July 20:


The FBI arrests 16 people in connection with a Denial of Service attack against PayPal.


July 21: Affiliate group Anonymous an- nounces it hacked NASA servers and accessed confiden- tial NATO data, but said it would not publish it.


Aug. 6:


Anonymous hacks law enforcement agencies in the U.S., South America and Syria. They upload files from more than 300 e-mail boxes from dozens of law enforcement do- mains with personal details.


Aug. 8: Boasting the monikers, “Hacktivists,” fragments of LulzSec and Anonymous score 10Gb of data from marketing firm Brooks- Jeffrey Marketing, which hosts and manages web- sites for 76 law enforce- ment agencies in 11 states; uses credit card information to make “do- nations to organizations like American Civil Liber- ties Union, the Electronic Freedom Foundation and the Bradley Manning Sup- port Network, which is assisting the U.S. Corporal accused of giving informa- tion to Wikileaks.


Aug. 9: Research in Motion’s Blackberry blog is hacked with a warning against co- operating with British police combating unprecedented street riots being co- ordinated by thugs using BlackBerry Messenger.


Aug 11:


Anonymous Tweets denials they are planning to attack Facebook on Nov. 5.


24 SECURITY MATTERS • FALL 2011


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40