Re: Actual Security Cases

["Jeffrey C. Keyser" <jkeyser () poss com>]

There are stories in the media of identity theft, mass credit card fraud 
and various forms of industrial espionage on least a monthly basis.

The bigger issue is that security MUST come from top down. I'm not sure 
of the of laws in your corner of the globe, but you may be able to 
convince him of his personal liability if information assets for which 
he's responsible are compromised. Even if he/she isn't legally liable 
for the compromised information, your organization may (spelled should) 
still hold this person responsible.

In the US we have HIPAA, which governs the handling of personal 
information. Building on your AOL example...If a physician Emails a 
patient's medical information "in the clear" he/she could be facing 
serious legal repercussions.

If you need to convince this idiot of the importance of protecting 
his/her information assets, it may be time to start looking for a new 
job. You don't want to get caught "holding the bag". At a minimum keep a 
paper trail to protect yourself WHEN the compromise occurs.

Good luck.




At 08:23 PM 1/29/2003 +0100, ullmic6 () web de wrote:
Does anybody know a good internet source of actual security related real 
life cases? I know that it's a risk to forward corporate mail to 
internet e-mail account like AOL or gmx. But I need a case like "in 
january 2001 the aol accounts of xyz got cracked and a lot of 
confidential data was published by some hackers on the internet" to 
convince a manager who thinks the risk is just theoretical and nothing 
ever happened. I would like to have such stories for different threats 
(no remote access via modem, no weak passwords, no unenecrypted data on 
laptops,...). In my opinion the stories in the book "Tangled Web" are 
just a starting point (some of them are not easy enough for managers).

--
<- ullmic6 ->