Welcome to the eighth issue of The ISO27000 Newsletter, designed to keep you abreast of news and developments with respect to ISO17799 and information security.
The information contained in this newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents. In view of recent events, this issue focuses particularly upon business continuity and disaster recovery.
Included in this issue are the following topics:
IT COULDN'T HAPPEN HERE....COULD IT?
Every issue of The ISO27000 Newsletter features at least one TRUE story of an information security breach and its consequences:
1) Confidential User-Ids?
Organizations rightly stress the importance of password confidentiality. Some also urge staff to select sensible passwords, which cannot be easily guessed or calculated.
Sometimes this is not taken as seriously as it should be, as individuals believe that, for example, a password of Sept2003 simply isn't going to be guessed by a perpetrator within the maximum number of input attempts allowed.
However, exposure doesn't always work like this. One breach occurred because the perpetrator discovered the format of a firm's user-ids (company code followed by 3 initials and a single digit number). He then reverse engineered the process: He selected a password similar to the above (eg: June2003) and then tried this password once against hundreds of combinations of user-id initials. The net result was that the accounts were not closed because each only had one invalid attempt. Eventually he hit a user with that password. He wreaked havoc.
2) When is Disposal is Not Disposal?
Secure disposal of computer media is by now a fairly well known requirement. It is widely, although not universally practiced.
The history of information security, however, is littered with examples of disclosure through uncontrolled disposal. Stories of competitors, or their agents, retrieving old diskettes/CDs/listings/etc from garbage bins are rife. However, there are plenty of other routes:
a) Not too many years ago a network was uncovered which specialized in the recovery and sale of corporate data. One of their methods was to purchase old tapes and diskettes from large companies and then restore the data using their own recovery software. This was then discretely offered for sale to selected competitors!
b) A more recent example along the same lines: On this occasion the perpetrators tracked the disposal route of a computer engineering firm. This firm was responsible for the maintenance of peripherals and routinely replaced the faulty media of their clients. Sadly the hardware fault was not always terminal for the data stored.
Although many of the customers had excellent disposal procedures in place, they had not covered this eventually. Their data as exposed as a result.