Security Basics mailing list archives
RE: A reminder that security is not inherently solvable withtechnology
From: "Mike Peppard" <mpeppard () impole com>
Date: Fri, 24 Oct 2003 13:01:37 -0400
Offshore business-process-outsourcing sales will leap 38% this year to $1.8 billion http://www.informationweek.com/story/showArticle.jhtml?articleID=15306236 With this type of money riding on outsourcing there are substantial incentives to improve the product. Get used to it <sigh>. Security issues just ain't going to slow it down. Different legal systems, as the article in question indirectly implies, just ain't going to slow it down either. Everything together might slow it down long enough for us to find our niche, or not. On a oblique, but more security type note: The issue of access to sensitive data, such as that in the article, is one that will bite us IT professionals one day. We now have access and control of sensitive data far beyond that of the shareholders, CEO, or CPA's that audit the company. And much more than the women in this story. Something to think about. We're the ones called to "put" the controls in, who puts the controls on us? Hippocratic oaths? Maybe we can learn something from how outsourcing and these security issues are handled...? -Mike (My email is attached to this message. We don't need to clutter the mailing list with OT stuff.)
-----Original Message----- From: Paul O'Malley [mailto:ompaul () eircom net] Sent: Friday, October 24, 2003 3:28 AM To: Kamal Habayeb Cc: security-basics () securityfocus com Subject: Re: A reminder that security is not inherently solvable withtechnology On Thu, 2003-10-23 at 18:14, Kamal Habayeb wrote:JGrimshaw () ASAP com wrote: http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2003/10/22/MNGCO2FN8G1.DTLThis article was posted on Slashdot today...Does anyone else see the potential abuse of off shoring jobs that may contain sensitive customer information? As this idea spreads, it could become the "hostage taking" of the new millennium. No longer would one need to kidnap a person in South America and hold them for ransom, its much easier to obtain a job that gives access to sensitive information and then threaten to publicize the information if not paid. We need to take steps to keep our jobs and our information secure.This has been documented since security began. The argument may not have been so obvious in its phrasing but it is this: Given the concept of a system of least privilege, was it appropriate to outsource the data processing needs of the organisation in pursuit of lower costs (read share holder value) and risk the whole organisation on a single or multiple acts of hostage taking? You do not have data protection when a case such as this occurs. What would be very interesting to know is does the company to whom the Joe Citizen entrusted their personal data have a DRP (Disaster recovery plan) for this case? I suppose they don't see it as their issue but one for their contractor who sees it for their contractor etc. In a case such as this one can sue anyone one wishes to, however if customers feel aggrieved they will leave in their thousands and the company in question may not have need for its existing employees or board of directors. I wonder if it was documented in the risk assessment and management part of the consideration to outsource. Best regards, Paul O'Malley ------------------------------------------------------------------ --------- Visual & Easy-to-use are not words that you think of when talking about network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that makes the complex - easy http://www.securityfocus.com/sponsor/ClearSightNetworks_security-b
asics_031021 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Visual & Easy-to-use are not words that you think of when talking about network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that makes the complex - easy http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021 ----------------------------------------------------------------------------
Current thread:
- hunt tool Jorge Garcia (Oct 21)
- Re: hunt tool Toyama no Benbei (Oct 22)
- A reminder that security is not inherently solvable with technology JGrimshaw (Oct 23)
- Re: A reminder that security is not inherently solvable with technology Kamal Habayeb (Oct 23)
- Re: A reminder that security is not inherently solvable with technology Paul O'Malley (Oct 24)
- RE: A reminder that security is not inherently solvable withtechnology Mike Peppard (Oct 24)
- RE: A reminder that security is not inherently solvable with technology Jeremiah Powell (Oct 27)
- Re: A reminder that security is not inherently solvable with technology Steve (Oct 27)
- Re: A reminder that security is not inherently solvable with technology John T. Hoffoss (Oct 28)
- A reminder that security is not inherently solvable with technology JGrimshaw (Oct 23)
- Re: hunt tool Toyama no Benbei (Oct 22)
- RE: A reminder that security is not inherently solvable with technology jm (Oct 23)
- RE: A reminder that security is not inherently solvable with technology Tsai Li Ming (Oct 24)
- <Possible follow-ups>
- RE: hunt tool Jorge Garcia (Oct 22)
- Re: hunt tool Eric Hagen (Oct 22)
- Re: hunt tool Jorge Garcia (Oct 24)