What Have You Changed Your Mind About? Why?

by Nitesh Dhanjani

I think it is extremely important for an organization to account for the reality of doing business (Risk based approach compared to the purist mentality of securing everything) when strategizing an information security plan. It is true that an individual who has a habit of perceiving security issues as purely a technology problem without understanding the business reality is likely to make bad security decisions.

However, I think some people in corporate security take this argument too far and end up awarding critical roles to individuals that do not have the appropriate skill-set and mind-set. More often that not, this happens when organizations responsible for information security misunderstand the argument to mean that you only need to probe for the understanding of business fundamentals and process management when recruiting for talent. Depending upon the criticality of the role awarded, this can deem disaster.

3 Comments

dre
2008-01-22 03:15:41
All security problems are trust problems. All trust problems are people problems. Therefore, all security problems are people problems.


I'm not saying that I'm perfect in my approaches, but since I'm educated about these issues, let me give my perspective.


1) You can usually pay with money order, cash, or check instead of a credit card or PayPal
2) Virtual Visa's (not all of which are good for consumers) can provide protection after their one or two month usage has expired
3) Social security numbers aren't always necessary. Nobody is forcing anyone to put their SSN in a form field online


In the case of #3, the only time I write down my social security number is on a tax identification form. I don't even use my social security card for employment verification, as my passport contains much less detail than even a drivers' license. I never give out my SSN over the phone or allow it to be formed as data for any reason. SSN's should only be used for tax/recipient identification and for those in the US military.


While I realize that my tax id forms and taxes are often faxed or mailed and probably placed in a database somewhere; this is almost completely unavoidable. At least the surface area of attack is limited to only this.


Limiting the exposure of other PII may also be possible by simply refusing to provide it. If I were to use a credit card online, I would try to utilize other safety measures. For example, using my full or initial of my middle name, but never using it elsewhere (printed on the card). Using an address on my credit card that I don't use elsewhere e.g. 101 EAST MADISON STREET instead of 101 E. Madison St. Tying the credit card to a specific phone number that forwards to my other number(s), but is also not used elsewhere. Making sure my credit card has CVC2/CVV2/CID support. And finally, using a Virtual Visa - probably from a well-known provider such as Citi Cards / CitiFinancial / CitiBank.


I don't understand why a formal process for signing up for a credit card doesn't force the above to happen. It's not costly to implement compared to the fraud. A new version of PCI DSS could force merchants, processors, and providers to only accept Virtual Visa with signup practices that include the above.


As for social security numbers - there is a huge marketing incentive for companies to keep using them. The only way to prevent this is by government regulation and enforcement. Somehow, the government was able to regulate and enforce the misuse of SSN's in apartment rental forms. This just needs to be applied universally. In most cases, it is better to send SSN's over E-government portals than by using snail mail or fax. However, these portals should be verified for maximum software assurance practices by multiple, independent third-party security reviews. Continued regulation/enforcement of SSN alternatives such as PTIN's and EIN's is also very important for non-government entities that are involved in the tax identification process.


Anyone else requiring/using SSN's should just stop; we need strict regulation/enforcement of this by our government. For example, there won't be an id-theft problem with SSN's opening new lines of credit or bank accounts if providers/banks don't use SSN's to open new accounts.

Shoaib Yousuf
2008-01-30 16:29:56
Nitesh,


Excellent article. I totally agree with you and i think we will continue to face this problem not only for next couple of years but infact for next 5-7 years.


As you said:


"We will know we’ve accomplished this when we will be able to publish our credit reports publicly without compromising our identities."


This will only happen if we start solving the problem from its root.


Cheers


Shoaib

Morgan Storey
2008-07-15 19:54:30
Excellent article, and very true.
It takes a certain kind of person to work in security one who is constantly questioning. I used to be known at my previous job as a bit of a know-it-all but yet whenver someone fixed something in a way I hadn't thought of I asked to be shown how. I don't think a day goes by when I don't change my mind or have it changed for me on something, whether it be IT related or simply personal belief.
IT Security is an ever changing field, and that is part of what attracts me.
Onto your other topic PII, fortunately in Australia at the moment, we don't have a SSN, about the closest thing would be either a medicare number (public health system) or Tax File Number(TFN), but my employer doesn't have my medicare, they have to have my TFN, but really if anyone knew it the worst they could do would be to get a job as me, and pay tax on that job... they would be found out when I do my tax return and then no harm done.
That being said I am not going to post them online, nor would I tell just anyone them.
I think we need to start getting smart cards with little LCD's and it spits out a hash of our PII salted with the time and date(like SSN and TFN) then we put this hash and the time and date on the form (something like rsa tokens). Then no-one ever knows your number, just a single use hash.
If that hash is ever used again it is blocked, problem solved... till someone makes a rainbow table or reverse engineers the algorithm.
Yeah maybe seperate numbers are the winner.