The Next Crisis? Information Security, Uncommon Knowledge

Note: Kevin Nixon and his team are the leading authorities on control-bypass and information security issues, and will be instrumental in resetting the IT industry's governing protocols. Kevin's team is the first group actively addressing information security issues not only as a consumer, investor & corporate governance issue, but also as a Global and National Security Issue. Kevin's research has demonstrated that these are solvable problems, and his team will be making concerted efforts to elevate this discussion to national and international levels. I have been honored with an invitation to assist in a portion of Kevin's research, and would appreciate any an all input from readers that address both the specific nature of information breaches in our industries, as well as any suggestions for best practices and protocol reform. Please leave your comments, or contact me directly: anthonymfreed@gmail.com

Un-Common Knowledge

By Kevin M Nixon, MSA, CISSP, CISM

Question: What do the Division of Motor Vehicles Colorado, the University of Utah Hospitals and Clinics in Salt Lake, Monster.com, the University of Miami and Fidelity National Information Services all have in common? (Hint: Think TJ Maxx) Give up?

Answer: Each was the victim of a data security breach that resulted in the exposure of over 2 Million computer records which contained confidential, non-public, private information.

In the case of Fidelity the total number of computer records exposed exceeded 8.5 million. You can monitor the events yourself the Privacy Rights Clearinghouse where you will find a frightening amount of information.

Just yesterday, November 1st, 2008, privacyrights.org reported that the Seattle Washington School District released 5000 social security numbers to a local union representing some of the district workers. More than half of the district's workers were affected by leak.

No wonder that the FBI and the National White Collar Crime Center saw Americans report losses of $239 million as a result of online fraud.

Don't assume that an "identity thief" is a "hacker" in the computer crime underworld. The "identity thief" may simply obtain the information from a source and then sell the information. However, "identity thieves" are now recruiting "hackers" to obtain access to electronic databases which contain the most choice data.

The trafficking of stolen data is a quick operation. The hard earned reputation, financial & banking records as well as personal information such as age, marital status, and children's names can all be sold for a few dollars each. Think about that: If 2 million records are stolen and sold for $2 per record, the "ID Thief" has made a cool $4 million off of what took you years of honest hard work to create.

The same technology used to steal your information is often used to sell your information. Your data is often sold through large instant-message groups or via online auctions, both of which may only exist for a few hours or days to avoid detection by authorities.

Here are a few tips that may alert you that your credit information has been compromised:

1) When ever possible go "paperless". You simply receive an email stating that your statement is available online for viewing and you can pay electronically too.

2) If you can't go paperless and you have a mailbox on the curb that anyone can walk by and open, consider getting a PO Box or a lockable mailbox. It is real easy for a thief to simply take a credit card statement containing most of the info they need out of the box on the curb.

3) Monitor your statements. Did you really put $2 worth of gas in the car? One of the ways thieves validate that a stolen card is still active is to charge a very small amount and if the transaction goes through they know that the card is still good.

4) Be alert to creditors calling to verify a telephone number! Creditors performing information verification often call telephone numbers associated with credit applications. The 3 big agencies are not offended when you question why the information is needed. Thieves often take personal information and attempt to open "business accounts" which makes the transaction more difficult to trace.

5) And last but not least, your Social Security Card (and number) should only be used for tax purposes. Says so right on the card. Do not use for ID.

Your social security number is not "required" for anything else under the law. It serves one purpose, to associate your earnings with your taxes. Banks, insurance companies, and others are required by law to use alternative photo ID cards. If the person or company won't do business without your Social Security number, ask to borrow their telephone, and call the local Social Security Office and report the company. Then take your business someplace else.

(The writer gives permission to link to, post, distribute, or reference the above article for any lawful purpose, provided that attribution is provided to the writers. This article will also be posted at the writers’ own sites)

Certified Information Systems Security Professional (CISSP)

Certified Information Systems Manager (CISM)

Master Security Architect (MSA)

Extensive experience in:

Gramm-Leach-Bliley Security Audits

Data Privacy Policy

Investigation & Litigation Support

Mergers & Acquisitions

FFIEC/OCC/OTS Regulations

EU & Basel II Regulations

Sarbanes-Oxley

Domestic & International Regulatory Compliance

USA PATRIOT ACT

Kevin Nixon’s Honors:

Consultant to the Federal Trade Commission on the roll out of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) providing input regarding web security best practices for the website: www.annualcreditreport.com

Disaster Recovery Workgroup for the Office of Homeland Security under Richard Clarke, Special Advisor to the President for Cyberspace Security and Chairman of the Critical Infrastructure Protection Board.

TC68-SC2 & US TC68-SC6 Member to the International Standards Organization (ISO) on Financial Data Protection, Privacy, and Security Standards.