Re: Actual Security Cases

From: Jeffrey C. Keyser (
Date: 02/07/03

  • Next message: "Re: Port 111 TCP - SUNRPC"
    Date: Fri, 07 Feb 2003 17:03:36 -0500
    From: "Jeffrey C. Keyser" <>

    There are stories in the media of identity theft, mass credit card fraud
    and various forms of industrial espionage on least a monthly basis.

    The bigger issue is that security MUST come from top down. I'm not sure
    of the of laws in your corner of the globe, but you may be able to
    convince him of his personal liability if information assets for which
    he's responsible are compromised. Even if he/she isn't legally liable
    for the compromised information, your organization may (spelled should)
    still hold this person responsible.

    In the US we have HIPAA, which governs the handling of personal
    information. Building on your AOL example...If a physician Emails a
    patient's medical information "in the clear" he/she could be facing
    serious legal repercussions.

    If you need to convince this idiot of the importance of protecting
    his/her information assets, it may be time to start looking for a new
    job. You don't want to get caught "holding the bag". At a minimum keep a
    paper trail to protect yourself WHEN the compromise occurs.

    Good luck.

    At 08:23 PM 1/29/2003 +0100, wrote:
    Does anybody know a good internet source of actual security related real
    life cases? I know that it's a risk to forward corporate mail to
    internet e-mail account like AOL or gmx. But I need a case like "in
    january 2001 the aol accounts of xyz got cracked and a lot of
    confidential data was published by some hackers on the internet" to
    convince a manager who thinks the risk is just theoretical and nothing
    ever happened. I would like to have such stories for different threats
    (no remote access via modem, no weak passwords, no unenecrypted data on
    laptops,...). In my opinion the stories in the book "Tangled Web" are
    just a starting point (some of them are not easy enough for managers).

    <- ullmic6 ->