Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Infosec Needs to Avoid Repeating Past Patterns of Error

    By
    Peter Coffee
    -
    May 16, 2005
    Share
    Facebook
    Twitter
    Linkedin

      If you look at the shape of a mountain range, its often difficult to tell whether the image spans just a few hundred feet or hundreds of miles. Any section of the shape has the same sorts of wiggles as the larger context from which it came. This is called “self-similarity,” and I felt as if I were experiencing the same phenomenon while preparing my charts for a recent talk on information security.

      I gave the speech this month as the opening keynote at a conference hosted by the Boise, Idaho, chapter of the Information Systems Security Association. The first seven charts looked at significant events since my keynote at the same conference last year; the eighth chart delivered the punch line that all the events I had just described had actually been reported during the 6-hour window immediately before I prepared my presentation slides, only two days before I spoke.

      What sounded like a summary of the prior year was actually just a close-up of a slice of a single day.

      That 6-hour scan of the information security horizon managed to take in a wide range of landmarks. It included a discussion, for example, of the U.S. Armys failure to realize that a blacked-out passage in an Adobe Acrobat document could be revealed with a simple copy and paste. All that one needed to do was transfer a supposedly redacted passage into another, less sophisticated documentation tool that didnt know about fancy attributes—and merely showed the unadorned text.

      As I noted during my talk in Boise, this is the same kind of wiggle of accidental disclosure that has stretched across the past several years. Its the same shape, for example, as the discovery years ago that passages “deleted” from a Microsoft Word document are still present in the file if the “fast save” option was enabled during editing. Those passages can be seen easily by opening the file in a tool such as Notepad that doesnt know whats not supposed to be shown to the user.

      At some point, were supposed to stop assuming that our enemies will play by our rules.

      Another event reported in the hours just before I prepared my Boise keynote speech was ChoicePoints designation of its first chief credentialing, compliance and privacy officer. This was especially noteworthy because the letters of apology that ChoicePoint sent out in February, advising people that their personal data might have been disclosed to criminals, were signed above the job title “Chief Privacy Officer”—but the signature was that of the companys general counsel, who apparently had never used the CPO title on any earlier occasion and who didnt hold on to it for long. It looks very much as if the function of CPO was never considered important until the lack of such an office became embarrassing.

      /zimages/7/28571.gifTo read more about the fallout from the ChoicePoint disclosure, click here.

      This suggested to me another fractal self-similarity: Year after year, information security promises are phrased in terms that suggest due diligence while actually assuring nothing. Ive previously noted, for example, that the California law that mandates disclosure of data leaks is waived if the compromised data was “encrypted”—with no further statutory threshold to distinguish competent encryption from trivial measures, such as an easily cracked encipherment that uses a password of “password.”

      Whether were talking about encryption that merely serves as a checkoff item instead of giving actual protection or about a CPO whose main job is to protect the company from lawsuits rather than protecting customer data from attack, this kind of misuse of language to abuse peoples ignorance and trust must stop.

      ChoicePoints February mea culpa letter was sent, initially, to only California residents because only California law required such action. Thats soon likely to change. In response to the ChoicePoint incident, at least 26 states are considering mandates for disclosure of data breach. If people with data in their care dont clean up their act, theyll find themselves in a costly environment of state-by-state regulation.

      Thats another kind of fractal complexity that no one really wants or needs. Lets stop making self-similar mistakes and make my next information security speech a lot harder to write.

      Technology Editor Peter Coffee can be reached at peter_coffee@ziffdavis.com.

      /zimages/7/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      To read more Peter Coffee, subscribe to eWEEK magazine.

      Peter Coffee
      Peter Coffee is Director of Platform Research at salesforce.com, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×