My apologies to Glenn Beck for borrowing his line, but I think that it fits well. Not trying to toot my own horn just proud of the fact that I don't blindly follow the crowd. As you may know I haven't posted anything in over 2 weeks which is a first for me. Life continues to keep me busy and the last week or so have seen some personal events that have taken up lots of my time. During this time I've done a good bit of thinking and watching.
I'm not going to go into many details except to say that we had to buy a new vehicle recently due to my wife being the victim of another driver who wasn't paying attention while driving. At least not paying attention to driving, who was on the road near him, etc.. He may have been paying attention to something else but not these things. We also had to rent a car, talk to insurance adjusters and reps, make doctor visits, etc.... All the fun things that go along with something such as this. While I was doing these things I took advantage of the opportunity to practice my Johnny Long "No Tech Hacking" techniques. I noticed lots and lots of opportunities to gain access to personal information of other people and even to gain access into the computer systems of some of these companies.
I was left in offices alone w/ a logged on PC several times for various amounts of time. Several times there were also applications open that could spill their guts on other customers and clients. Many times I was left alone with documents loaded w/ PII right on the desk I was sitting at. I overheard lots of phone calls that involved names, addresses, credit scores, credit limits, etc...
Of course I was also asked to give sensitive information to many of these companies. Some needed it to fill out claim forms, reports, credit apps, etc... As usual many of the auto dealers wanted a copy of my drivers license before allowing me to test drive a car. When asked what they do with the copy I was told different things. Some said they were shredded, filed, thrown away and "I really don't know". Needless to say the answer given had a lot to do with whether or not I took a test drive and then I ensured that before I left the copy was truly destroyed.
In one office I was left alone w/ PII on the desk, several computers logged on w/ apps open, heard PII given out over the phone and then heard one girl tell the customer that the copy of the document was shredded to protect them. At least they have the right idea. They are just missing several pieces.
That's where the "I'm a thinker" part comes into play. What these companies need is to take a few minutes and think about what they are doing, why they are doing it and what they are not doing that needs to be done. The office above was taking a great step in shredding documents but they obviously either didn't have policies, processes and training in place to prevent lots of other errors. It's great that they shred a copy of a document that has my PII on it but what good does it do if all of the info on the document is freely available to others who are left alone in the office? This is why we can't just do "best practices" and move on. You have to take a look at the bigger picture of what is happening in your environment and work from there.
As the CSO or top security professional in a company it is difficult to know what all goes on out in user land unless you spend some time there. You need to talk to people who do the front line work and find out what they do that may need to be addressed. You need to either visit or at least have someone else visit different locations and departments to find out what is going on that the users would never be aware of. I'm talking about things such as giving out names, addreses and other information over the phone in front of other customers, leaving documents on a desk instead of filing them or at least putting them in a lockable drawer until you can get to them later. I realize that this is not the type of things that a busy security professional (especially if you are in the top spot) so this is where you can utilize your desktop support team and others who are in the field.
Another area that we need to pay attention to was made apparent recently by the legal department of the MBTA. In their efforts to stop a DefCon talk about how to hack the MBTA Charlie Card and other sloppy security issues, they released more info than would have been released by the talk. Not to mention that they brought lots more media attention to the fact than if they had just let the talk go on as scheduled. If they had bothered to consult with their security team they might have made better decisions in how to handle this.
As security professionals it's our job to protect the organization that we work for. We have to look out for their best interest even if it's in areas that we are not responsible for. What I mean by that is looking for things that aren't right and making them known to those who are responsible, doing our part to let others know that security is here to be an enabeler and not to hinder business. Letting them know that we can add value to all areas of the business if they will solicit our input (such as legal, HR, etc). Often these departments don't even think about how security can add value to what they do. Many times we think differently about problems because most of us think about how to make things do what they aren't supposed to do (or at least we are aware that the bad guys are doing this) and we see things from a point of view that the business units and even regular IT doesn't.
Security's Everyman
Tuesday, August 19, 2008
I'm not an expert in all things security, but I am a thinker
