This article was brought to my attention today:
Is Twitter the newest data security threat?
One of the most dangerous threats to data security is also one of the least talked about: employees. Are Twitter and other microblogging sites yet another avenue through which sensitive data can leak out of the corporate database and into the hands of ... anyone? Perhaps more worrisome, what information are you giving away simply by being a part of the community?
Of course Twitter is a potential threat. Like personal e-mail accounts and instant messaging, Twitter and sites of its ilk are primarily messaging mechanisms, which translates into personal channels for exporting sensitive data outside the enterprise. If you aren't familiar with Twitter, its messaging mechanisms allow several "modes" of communication: a blast to the general twitterverse, a public reply to a specific twitter user, and a direct (private) message to another twitter user. The direct messages aren't displayed in your public timeline, only the intended recipient can see them, so they're perfect for sneaking out tidbits like customer information or competitive information like upcoming product features/launches.
And there is a thorough and long article about IT security from CIO magazine: Why_Technology_Isn't_The_Answer_To_Better_Security
It's long. But important.
Both hearken me to re-read "The Art of Deception" by Mitnick. I read it in 2001-2002 when Mitnik was first released from that hair-brained parole of not touching a computer (I'll spare you the personal rant). Social Engineering is a study of human science that requires serious attention. Yet most folks don't know what it is.
I enjoyed the book and learned more than expected. I've even used social engineering tactics to get needed information, or get out of a tight spot on many occasions. Getting around a gatekeeper and corporate policies that cause red tape is surprisingly easy sometimes. I've kept this to myself until now: Sales Reps can benefit from reading this book or studying social engineering to get to the person, project or information you need to accomplish your job.
Employees not only need to be educated and sworn to abide by company policies and procedures regarding confidentiality, use of email, etc.; but they need to be shown how to use common sense with examples of how security is breached by seemingly harmless activities or the desire to be helpful by disclosing small pieces of information that alone would not cause harm, but when carefully sewn together and used by masters of social engineering, make way to huge security breaches mentioned in the CIO magazine article.
- It was entertaining to hear how the hackers got to information.
- It was scary to realize how easy it is.
- I agree that more technology dollars thrown at technology to protect data is NOT the answer.
- Education can be a part of a solution.
Just my opinions, no clear answers. Let me know if you have ideas.
No comments:
Post a Comment