Information Security Challenge
February 17, 2010
Information Security Challenges
As the world becomes more saturated and dependent upon Information Access, increased opportunities await the criminal element to exploit. This creates new and more costly problem sets that must be mitigated in order to navigate in today’s business world.
One of the larger challenges is, entering the criminal information market does not take an excessive capital investment. It simply requires a computer, online access and some talent. Potentiating this problem is the large legitimate market of information brokers that gather marked amounts of information today. This allows for the ...view middle of the document...
hard. In my opinion it is the mentality of the big company that sets themselves up. The “Who would attack us? We’re too large to attack”, or “We don’t want to expend the requisite resources to adequately cover the company because we are too large and the cost would be too much”. This is a bottom line mentality that effectively “rolling the dice” when it comes to information security.
Avoiding the Lowe’s Scenario
To generate the solution set to any problem it helps to understand the mechanism of action or insult. Referencing the Lowe’s incident, Lowe’s was a large (too big) company that utilized wireless access points at its sales registers. Once a sale was made the pertinent information was transmitted via the wireless network to be recorded and accounted for etc…
Wireless access points can have several types of data encryption mechanisms on them such as WEP 64, WEP 128, WPA, WPA2 etc… Most likely Lowe’s used the WEP 64. This is the lowest (no pun intended) level of encryption and can be hacked in two to four minutes using only a laptop and minimal talent. So getting into the Lowe’s network by the criminals was not a difficult task.
What made it easy for the Lowe’s criminals was the lack of attention devoted to information security, which was the real culprit. They had the system for about five years and despite it being reported as easily hacked, they kept the system simply because it worked.
In our bottom line sensitive environment expending resources on non-value-added (but necessary) processes is very hard to get by any budget committee. This is especially true when many people still fully don’t understand the technology or the existing threat to that technology. To them it is simply another techie boondoggle that is not needed. So it if isn’t broke….why fix it? Further investigation discovered that the Lowe’s system was not segregated. In other words the criminals could hack through this point to other local offices and even their corporate office as well (Roth, 2005). That meant they could find the storage of all credit card actions and could retrieve them at any time. In effect they didn’t even have to store the numbers they stole if they decided not to.
Lowe’s could have avoided this event by simple preventative actions. Had they utilized an annual security audit on their security systems the faults would have been discovered. This would have brought to light the obsolete system and the need to upgrade to a higher level of information security.
Other efforts would include the use of technology whenever possible. During every war new technology is developed and utilized. As each new weapon is launched, the intelligence apparatus is mobilized to discover what it is and how to mitigate it. Information security is no different. When a new anti-hacking device is manufactured it goes through a short honeymoon of use. That is the time it takes for hackers to find a way to neutralize the effects of the device. Then the...