cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

If you don’t want to be breached, use paper

Hi All

 

How many agree with this article? 

 

https://istart.co.nz/nz-news-items/biggest-data-breach-dubbed-collection/?utm_medium=email&utm_campa...

 

Regards

 

Caute_cautim

7 Replies
emb021
Advocate I

Paper can be breached.  Its no guarantee of safety or security.

 

If the concern is the amount of data that is digitized and its security, address that.  I don't think the amount of data is the problem, its how poorly many orgs security data.

 

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
rslade
Influencer II

> emb021 (Newcomer II) posted a new reply in Industry News on 02-13-2019 01:31 PM

> Paper can be breached.  Its no guarantee of safety or security.

You couldn't breach your way out of a wet paper ...

Oh ... wait ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Fashion is a form of ugliness so intolerable that we have to
alter it every six months. - Oscar Wilde
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Caute_cautim
Community Champion

Don't temp me, we will be quoting protective devices next...........

 

It comes down to the plain fact: 

 

https://books.google.com.au/books?id=4GzRYavTBfcC&pg=PA9&lpg=PA9&dq=The+only+way+to+ensure+data+does...

 

See Ross Anderson quote attached.

 

Regards

 

Caute_cautim

Shannon
Community Champion

 

Digitization obviously has its pros & cons. You don't want to completely do away with digitization, unless your analog data is simply to be stored / retained securely --- & nothing else. Reducing digitization is an interesting prospect, but may not appeal to business entities if it impacts their ability to compete with other organizations.

 

Entities should strike a balance between the digitization & retention of analog information --- depending on the classification of the info and the requirements for it...

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Baechle
Advocate I

John,

 

I partially agree with the article.  The article proposes multiple ideas:

 

(1) Do not digitize records in order to avoid loss of control.  As others in the thread here have already pointed out, the information is the key element – not necessarily the medium that information is stored on.  People can still photocopy and transcribe on paper, read information and tell someone else, and tell someone else something they heard.  Spies have been doing this kind of thing since before there were “computers”.

 

(2) Reduce the pace of adoption of new networking technologies.  Now, this I agree with wholeheartedly.  If the feature that your organization wants to implement is not properly implemented, or it’s implemented insecurely, then you’ll have to either assume that risk, employ mitigations, or not implement that new feature.  I think our global culture has moved from cutting edge to bleeding edge to hacking at the bone… we are collectively reaching a point of doing more damage in brand and legal exposure than we are enabling better business processes. 

 

In the end, you can make smart security decisions that protect information.  That typically means growing the Information Technology, and specifically the Information Technology Security beast in both competency and capability – something that most organizations don’t want to spend money on because it's not their core business.

 

Sincerely,

 

EB

ed_williams
Newcomer II

No, data is data. The media isn't the issue. There have been breached since before paper was invented. IT just allows for bigger breaches, faster. That's (erm) progress.

Espionage is not new to the digital age.  Stalin and the Soviets didn't need to do much of the research and development for the H-Bomb because they got the plans from the Americans.  Ink and paper, and physical security didn't stop loss of the physics and engineering work. 

 

(With the Great Patriotic War, WW1, Napoleon, etc. we can understand how the Russians didn't trust the US with the atomic bomb.  And, they had many sympathetic US citizens to recruit from.)

 

When espionage was done in person, the awesome scale of digital age theft wasn't possible.  They could take many pictures with a micro-camera when they were in the same room as the originals, but they couldn't take 50M pictures, or exfiltrate thousands of sheets of paper.

 

Agreed, the people and organizations who steal data have benefited greatly from the opportunity and scale of porous and insecure systems.  But, truly valuable paper or air-gaped data is vulnerable to old-school methods.

 

The authors of the paper didn't mention once the subject of cryptography/cryptanalysis.

 

I'm amazed that any of the modern digital hardware or software works at all.  The founding fathers of programming languages, networks, and operating systems paid no attention to security.  Licklider at Bolt, Beranek and Newman or Jon Postel did amazing work just to make it function.  Security is hard, and none of the original technology was designed with it in mind.

 

The authors of the article could have spend more words documenting the scale at which the technology has turned into a surveillance state.  The massive scale of data that companies keep indefinitely - I don't know what to say about it.  The US Government couldn't even keep control of the security clearance data for their military and spies.  Whoever has the OPM data has the names, pictures, fingerprints, and family information of all/most of the members in the US military and three-letter-agencies.  (Maybe that data should have been paper-only.)

 

Apple would have been a good example for the authors, also.  They do a great job.  Vulnerabilities are quickly fixed.  The price Zerodium pays for iOS exploits is high.  And, get a copy of what they know about you:  "https://privacy.apple.com/account" .  Listen to one person's thoughts about what this privacy-conscience company keeps about us:  "https://inteltechniques.com/blog/2019/03/01/the-privacy-security-osint-show-episode-113/"

 

My final thoughts about the article are these:  Companies and governments should collect only the necessary information to do their job, and truly delete it as soon as the need is over.  Agreed, that's a simplistic statement.  But for a forecast of the future if we don't, look to Stasi Colonal Wolfgang Schmidt's words: “It is the height of naivete to think that once collected this information won’t be used.  This is the nature of secret government organizations. The only way to protect the people’s privacy is not to allow the government to collect their information in the first place.”