Security's Everyman

Security's Everyman

Tuesday, June 12, 2007

Info Security goes beyond the data

I've written before about how you need to be careful about what you say when you are in public places. You may be overheard talking about company secrets or just "gossip" that doesn't need to be out in the open. The same is true for using your laptop in public. People are curious and often will look to see what you are doing. I was riding home on the bus last week when I noticed the guy in front of me typing an email that contained info that I'm sure he didn't want the world to know. Yet there it was for all to see on his laptop.

We also have to be careful not to disclose too much information when talking to reporters. Just ask Terrell Karlsten. She is a spokesperson for Yahoo and she gave out a little too much information in an interview with InformationWeek. A hacker named Danny read the article and promptly used the information to find the flaw and write an exploit for it. Now before you come down too hard on Ms. Karlsten you need to consider what she had been told. Was she properly briefed on what to say and what not to say? Was there even a reason for her to know enough to be dangerous? Maybe she just needed to know that there was a vulnerability that involved a buffer overflow. Maybe she just needed to know that there was a vulnerability. Did she have any real idea as to what the implications of her statement were? I doubt it. Thus, another reason for a good security awareness program.

Good security covers all areas not just the data whether it be at rest, in transit or in use. It looks at the whole infrastructure and the company culture. It finds ways to work with everyone for the good of the company.

At least Yahoo was quick with a fix so hopefully the damage was contained. Makes me glad that I use Pidgen instead of Yahoo Messenger. :)

1 comment:

Anonymous said...

Did it affect the stock ticker materially? Did we all suddenly loose confidence in Yahoo as a company? Were we all impressed by how quickly they handled the issue? I’d argue that the “failure” perceived by the security and hacker community was a net-positive for the company. Personally, I’m even more confident in Yahoo’s ability to address security vulnerabilities, and manage risk on my behalf as a consumer of their services.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.