Security: The Paranoid Survive

What’s
the price of information?

"Information is money?" Well, actually, money is information. Money
started as IOU notes for gold deposited with safe-keepers, and today’s
currency notes remain pieces of information about their value against gold
reserves. We’ve found electronic ways of handling this information, so a
credit card swiped through a slot can make a transaction happen in a bank a
thousand miles away, instantly.

If you steal the right information, you can steal money. Heard of
"salami slicing" in banking? Someone in Delhi managed to access
thousands of fellow-staff accounts, and "slice off" the paise. Rs
95,456.23 was simply rounded down, the 23 paise moved to another account–too
little for the user to notice or complain about. A few dozen such sweeps got the
perpetrator a tidy sum, and, later, a jail sentence.

Every enterprise has information that is as valuable to it as those account
details or credit card numbers are to a bank…it’s funny that so few
enterprises realize it.

Someone stole a Bombay-based magazine distributor’s subscriber database for
a foreign news weekly. The thief then sent out a single mailer to everyone on
the database: a renewal notice for the magazine, with an invoice for a year’s
subscription. How many noticed that the reply address was different from the
regular one, and that so was the "make cheque to" name, or that their
subscriptions weren’t really over? Enough subscribers sent off cheques to
cause panic and horror at the distributor’s company–when it found out.

For the first six months of VSNL’s Internet access service in 1995-96, the
passwords of senior VSNL officials, from the director (operations) down, were
simply their first names. Users had a field day using the "free"
accounts. But the real damage happened with all the mails that were sent out,
purportedly from the officials themselves. The love-bug virus strains caused
similar damage by sending out a variety of embarrassing messages to the victims’
address-books.

Information is the key: it’s all that the enterprise owns and possesses. It
is the differentiator, the foundation. Information is what you pay for when you
go to a doctor or TV mechanic. Today, enterprises have to keep that information
in networks, to stay competitive. And guard it with everything they’ve got:
from hackers, but more likely from careless or errant employees.

That’s the challenge that few enterprises in India have recognized, or
risen to meet. It’s going to be forced onto most of us in unpleasant ways.

Ask not the price of security: ask instead of the cost of a breach in your
enterprise network.

 

Leave a Reply

Your email address will not be published. Required fields are marked *