I was looking at my old posts and found this prediction from 2009 for 2009:
http://securethink.blogspot.com.au/2009/01/prediction-number-1-for-2009.html
I essentially predicted that the market for cards would drop off and that "hackers" would start looking at stealing other information. Remember that, in most cases, they have access to the entire network. All the juicy intellectual property is theirs for the taking. They could, as happened with Sony Pictures, steal stuff like unflighted movies and human resources data. They just don't.
It is like a thief who breaks into a house and ignores all of the expensive electronic equipment and collectibles and steals only the cash because cash is already useful and the other stuff is too much trouble. Now, imagine if the cash is not lying about but is locked up in a vault. Maybe the thief will reconsider the other stuff. Once he has to put some work into the job, he may as well make it worth his while.
The reason why I was correct in my prediction but had my timelines all wrong is that I overestimated the ability for companies to secure their monetary assets (mainly credit card information). It has taken until now to get to the point where the money is, if not in a vault, at least not stuffed in a mattress.
The many high profile attacks last year where credit card information is stolen are, IMHO, the dead cat bounce of this kind of attack. The thieves are getting their last good hacks in before security is tightened up. The Sony attack is the start of the next wave where intellectual property is stolen instead.
It would be almost impossible to track down a buyer but holding information ransom is already becoming a viable business with the "cryptolocker" type of attacks. Cryptolocker is more a scorched earth type of attack - it encrypts everything and holds it all to ransom. More specialised attacks may target certain types of high value information assets. They may, as in the case of Sony, decide to release these assets onto public networks where it is impossible to "put the toothpaste back in the tube".
2015 and beyond will be interesting.
[The South African State IT Agency awarded former provincial top cop Mzwandile Petros's company a R10m deal to recover three stolen laptops. Even at this price, they may not get them back. Intact. With all the data. I have a better plan.]
Now, friends hiring friends aside - they must have come to that figure somehow. It is assumed that especially now that this has hit the press, the management of SITA must value the information on the three laptops at more than R10 million. Let us say R12 million. The hardware costs do not even come into it, they are so small to be insignificant. So each laptop has about R3 million worth of information. (More likely is that they all had the full information set on them.)
So either, the information is so secret that they don't want it to leak, or so irreplaceable that it would take R10 million worth of work to get the information back. Or better - R10 million to try and get the information back.
So, how could SITA have done this better and cheaper? They could have gone to Incredible Connection. They would have found multiple software packages. One I chose at random (and have no idea how good it is or have any affiliation) is
Norton 360. It retails for R350. It is SOHO software and not enterprise software but it should still do the job. They would have to buy three copies and I'm not sure if the I.C. staff would maybe give them a bulk discount. So, call it R1000. Plus R1000 for someone to install it. Lets bump that up to R40k for someone to install it (this being the government and used to paying big money for things to happen.)
According to the website - "Automatic backup takes care of your photos, music, and other important files and backs them up to a disc, USB device, or online to one of our secure data centers. Protects files you back up online with government-grade encryption."
Oh, we need a USB or a disk. Lets assume that R10million of data is a lot of information, maybe more than 16 Gigs but if it is on a laptop then probably less than 2Gigs. So.. Western Digital 2Tb Portable hard drive to backup stuff onto with Symantec's "Government grade encryption". Another R2200 times 3 is R6000. I am assuming that the place where they keep these R3million laptops has some type of secure storage, otherwise Makro has a safe for R1500. Plus, say, R40000 for someone to install the safe.
So, if the laptops go, there is still a backup in a safe. Even if they forgot to backup that day or the day before... no organisation comes up with R10million worth of information in one day. If they could do that then the next day they would just come up with it again and laugh about the lost laptops. So, first issue sorted.
I assume that the laptops are running Windows 7 so that full disk encryption is built in and just needs to be turned on. Alternatively, scrap the Symantec and use Kaspersky which has all the backup software and also full disk encryption, both government grade and pretty impenetrable.
So, anyone who gets hold of the laptops will have to format them because they are not getting the information out. Second issue gone.
Lets work out the cost -
Software - R1500
Hardware - R6000
Safe - R1500
Installation - R80000 (but R4000) would probably be more realistic
So, round it up to about R100000 (this is government!) but it could be done for under R20000.
The advantage of my solution is that it is guaranteed! You will have your information and noone else will. The R10 million solution has no guarantee at all.
So, SITA, give me R10million minus R100000 and we'll call it quits. Heck, give me R5million.
The sad thing is that SITA is an IT organisation . They should know this. They should actually be preaching the above. They should be guiding the rest of the government on how to manage information. The word "information" is in their title. Of course, so is the word "State" and that is why they would rather spend R10million on hopefully retrieving 3 lost laptops rather than R20000 protecting the information on them in the first place.
[TL/DR version: Is it ethical to "connect" with an interviewer on LinkedIn during the hiring process?]
As a professional and a contractor, my name is my most important asset. So therefore ethics are everything to me. This is especially important because of the fact that I am an Information Security professional and usually have access to information that is confidential. I need to be trusted.
When I first started with LinkedIn, even if I knew all of the interviewers for a job application, I wouldn't look at their profiles. I could - but I wouldn't.
Eventually, after reflection, I did look at their profiles but wouldn't refer to anything in them lest they think I was spying on them.
More recently, it has become so normal to "research" the interviewers to the point that if you don't look them up in LinkedIn then you are seen to be uninterested. Some employment agencies actually supply the LinkedIn profiles or URLs as part of the job specification.
My question is simple - is it encouraged/discouraged/ethical/unethical to send a LinkedIn Connection request to an interviewer? When is good to do it? Is it unfair advantage? If you land the job, could it be seen as cronyism? Or is LinkedIn professional enough that your contacts are not necessarily your friends.
If the interviewer accepts, what is the protocol? Can you talk directly to them while they are deciding on the position? Should you take that opportunity to talk to them maybe making yourself more human and more of a person than a "candidate"?
Many articles on "how to land that perfect job" (on LinkedIn, it is usually "X things you are doing wrong in job interviews and how to fix them") usually promote the idea of a "follow up" which cements you in the interviewer's mind and makes you their preferred candidate. Can you use LinkedIn to do the same?
One other thing is that some of the people I have met while looking for work have been the most interesting and insightful people and are certainly the type that I want to add to my list of contacts. I usually wait until I hear how the decision went and then send a request.
Am I being over cautious?
Am I shooting myself in the foot while all the other candidates are jumping in as fast as possible to make a good impression and I seem uninterested?
Or, am I doing the right, ethical thing?