Welcome to this, the seventh edition of The ISO17799 newsletter, designed to keep you abreast of updates and developments with respect to the ISO 17799 information security standard.
The information contained in this newsletter is free to our subscribers and provides guidance on practical issues, plus commentary on recent Information Security incidents.
Included in this issue are the following topics:
IT COULDN'T HAPPEN HERE....COULD IT?
Every issue of The ISO17799 Newsletter features at least one TRUE story of an information security breach and its consequences:
2) Don't Re-cycle Data
Several years ago one of the worlds largest security firms uncovered a major network in the US. This specialized in the recovery and sale of computer data.
One of their most successful methods was to purchase old media (disks/etc) and old PCs from large companies and then recover the data using specially modified equipment. The recovered data was subsequently sold to competitors and others.
Again, the lesson is obvious: ensure that any equipment sold on is totally cleansed (drives/etc over-written, not just files deleted).
2) Answering Machines Have No Loyalty!
Sometimes the most basic of equipment can be the source of serious breach. In this case, a medium sized business was able to fend off a takeover largely on the basis of snippets of key information it was able to glean regarding timing, and how close to 'final offer' the unwanted suitor actually was, etc.
How did it obtain this information? Quite simple: telephone answering machines!
The access control mechanism that guards remote access to messages is often very poor indeed. The secret code is sometimes only a single digit, making the odds of guessing the code first time just 10-1. Or put another way, a maximum of 10 'out of hours' calls to the target phone. In this case it was two digits... making the odds 100-1 (on average about 50 calls before the correct code for an individual phone was found).
Over several nights the medium sized company was able to crack the codes of a number of key players in the takeover drama. Simply calling in at set times (lunch, after work, etc), they were able to pick up messages covering a range of topics... including the takeover. They adapted their strategy accordingly.
The lesson from this is obvious: don't leave confidential information on telephone answering machines!