20 Jul 2009

If you only read one article on Information Security...

[... this is it]

Actually, this is a bit unfair because after reading this one article, you'll be compelled to read more.

Richard Bejtlich's article sums this up nicely. He links to another blog post by Verizon Business.

I have some issues with Verizon Business's annual report but it is probably the most important document on Information Security to be published.

My one criticism of the Verizon Business Breach Report is that it shows credit card data to be more at risk than anything else. I was never sure if this is because it is easier to abuse than other data (such as Intellectual Property) or is just easier to detect when it is abused. According to the article, it is the latter. IP is leaving our companies, we just don't know it.

When a whole bunch of credit card information is stolen then the banks track which credit cards are abused. They are good at this and they slowly work out where all the credit cards were used together. So, if 5 credit cards were all used at a specific shop and then end up being abused that points to that shop having had an information breach. In the case of IP, there is no bank tracking abuse so you have to track it yourself... and companies are really bad at that.

The other point which I found quite amazing is that very few times when a PC is lost, is it used for fraud. End point encryption is cheap and easy to apply so it should be done, but most information is lost, not through assets being lost but through network attacks.

[... this is it]

Actually, this is a bit unfair because after reading this one article, you'll be compelled to read more.

Richard Bejtlich's article sums this up nicely. He links to another blog post by Verizon Business.

I have some issues with Verizon Business's annual report but it is probably the most important document on Information Security to be published.

My one criticism of the Verizon Business Breach Report is that it shows credit card data to be more at risk than anything else. I was never sure if this is because it is easier to abuse than other data (such as Intellectual Property) or is just easier to detect when it is abused. According to the article, it is the latter. IP is leaving our companies, we just don't know it.

When a whole bunch of credit card information is stolen then the banks track which credit cards are abused. They are good at this and they slowly work out where all the credit cards were used together. So, if 5 credit cards were all used at a specific shop and then end up being abused that points to that shop having had an information breach. In the case of IP, there is no bank tracking abuse so you have to track it yourself... and companies are really bad at that.

The other point which I found quite amazing is that very few times when a PC is lost, is it used for fraud. End point encryption is cheap and easy to apply so it should be done, but most information is lost, not through assets being lost but through network attacks.