In one of our features this month, “2006: Year of exposed IDs,” we discuss the various breaches that have plagued businesses of all sizes over the last year. As our edition went to press, still other incidents cropped up.
A division of J.P Morgan Chase mistakenly threw out tapes containing the personal information of 2.6 million past and current Circuit City credit card holders. Chase Card Services said it had mistakenly thrown out documentation tape with the personal info of millions of Circuit City customers. The firm said the tapes were
compacted and destroyed in a landfill. Chase notified affected customers and offered those customers free credit monitoring for a year. The company said it had not seen reports of any misuse of the personal information.
Brian Contos, CSO of ArcSight, has launched his new book, Enemy at the Water Cooler: Real-Life Stories of Insider Threats and Enterprise Security Management Countermeasures. The book details the evolution of security threats from hackers to malicious insiders at some of the world’s largest corporations and government agencies and examines ways to combat those risks.
How do you describe your job to average people?
I tell people that my job is to protect data and equipment, making sure that their information is kept private, can be trusted to be correct and is always available when needed — just a riff on the C-I-A triangle. I say I am also responsible to make sure we are in compliance with all applicable laws, regulations and common sense. Then I throw in that I get to play with all the cool toys, some days I am Neo, some days Agent Smith.
Late August 2006, we saw the most recent example of a highly valued brand damaged by a data breach as AT&T reported that hackers had gained access to credit card information and other personal data of approximately 19,000 of its customers.
It was in the consultants role recently that I got some sage advice from the security lead at a favorite client. I had just completed a full vulnerability assessment complete with penetration, VA scans, ISO17799 interviews, inter-domain communications leak analysis…the works. They looked pretty good. Better, in fact, than most I have seen over the years.
The industry is on the beginning fringes of a major shift with one of our most basic but often taken for granted security controls: anti-virus technologies. The shift has the capability to not only slow down our containment response, but also force us into competing against each other for protection. I do not know if I can honestly state that this is born from intelligent design but it is certainly is a side affect. Let me explain further.