Re: Time Warner says data on 600,000 workers lost

[InfoSec News <isn () c4i org>]

Forwarded from: Mark Bernard <Mark.Bernard () TechSecure ca>

Dear Associates,

The recent massive, 600k record, loss of private information by Time
Warner truly highlights a threat that every company could be
susceptible too. Every business that I've ever worked including
Government, Pharmaceutical, Insurance, Banking and even Manufacturing
utilizes off site storage, which could prove to be the next weakest
link in the chain of information ownership/custodianship.

At one time data encryption would never have been considered due to
costs, but now that systems are cheaper and more powerful I don't see
why it wouldn't be a serious consideration. Of course encryption keys
also need to be managed for the future hence Identity Management.
Encryption may not an absolute solution, but its a great alternative
and most importantly it mitigates risk. The next operational areas to
consider with a similar risk exposure to backup media would be hot
sites, which handle live data over live communications lines, and
development systems where un-sanitized data may be used for testing.
It many cases development is handled by third-parties sometimes off
shore increasing the exposure rate to these vulnerabilities.

Recently I reviewed a Systems Development Department that used a
prototyping promotion process. The prototyping promotion process is
generally used to speed up the development-to-production time while
attempting to reduce errors further improving on quality and reducing
operational expenses. Unlike the more traditional and more expensive
systems development process that actually utilizes a segregated
development environment, the prototype environment allows application
programmers to have access to live data and usually live production
systems.

Hot sites are just that they typically maintain mirrored or duplicate
transactions against a full production system. Since a hot site is
usually hidden away in an unmarked sometimes unmanned building
security precautions may be reduced from that of the production
environment. That being said, it could be possible for staff or
maintenance people to have access to information otherwise guarded.

There are many risks that need to be considered once information
assets become digitized. Food for thought !!

Best regards,
Mark.


Mark E. S. Bernard, CISM, CISSP, PM,
Principal, Risk Management Services,

e-mail: Mark.Bernard () TechSecure ca
Web: http://www.TechSecure.ca
Phone: (506) 325-0444


Leadership Quotes by John Quincy Adams: "If your actions inspire
others to dream more, learn more, do more and become more, you are a
leader."


----- Original Message ----- 
From: "InfoSec News" <isn () c4i org>
To: <isn () attrition org>
Sent: Wednesday, May 04, 2005 3:37 AM
Subject: [ISN] Time Warner says data on 600,000 workers lost 


> http://www.computerworld.com/securitytopics/security/story/0,10801,101500,00.html
>
> By Lucas Mearian 
> MAY 02, 2005 
> COMPUTERWORLD
>
> Time Warner Inc. reported today that a shipment of backup tapes with
> personal information of about 600,000 current and former employees
> went missing more than a month ago during a routine shipment to an
> offsite storage site.
>
> The tapes, part of a routine shipment being taken to the site by
> off-site data storage company Iron Mountain Inc. didn't include data
> about Time Warner customers, the company said in a statement.
>
> The company told employees today that the data tapes went missing
> March 22.
>
> We are providing current and former employees with resources to
> monitor their credit reports while our investigation continues. We
> are working closely and aggressively with law enforcement and the
> outside data storage firm to get to the bottom of this matter,. said
> Larry Cockell, Time Warner.s chief security officer.
>
> The U.S. Secret Service is working with both Time Warner and
> Boston-based Iron Mountain to investigate the missing tapes.



_________________________________________
InfoSec News v2.0 - Coming Soon!
http://www.infosecnews.org