Security is a topic that is high on everyone’s list today. From home alarm systems and data encryption to biometrics, everyone is interested in security measures to protect something valuable. Most organizations have a focus on physical and information security, either due to regulatory concerns or because they really do understand the value of their data and the risks of a security compromise.
Also called a security breach, a security compromise is a term used to describe an event that has exposed confidential data to unauthorized people. The release of the information is likely to have an adverse effect on the organization’s profits, legal standing and/or reputation. Reputation is especially at risk if the organization’s business is to protect information.
An unintentional compromise occurs when information is accidentally released. This can be as seemingly innocuous as an employee’s spouse blogging about the business trip her spouse is about to make to a foreign country. If a competitor becomes aware of this information, it may use it to gain a business advantage, costing the original company future revenue. Additionally, employees may improperly dispose of confidential documents by tossing them into the trash. More than one business has been harmed by dumpster-diving information hunters.
Intentional compromises are those in which a person designs to gain unauthorized access to the assets of an organization. In the case of information assets, hackers continually try to gain entry into the networks of large organizations, using tools that are readily available on the Internet. Countries may mount an attack on another country’s cyberspace, seeking valuable military or technology secrets in order to gain an advantage. More insidious, and many times more successful, is the social engineer.
The social engineer works his way into an organization by taking advantage of the natural desire to help others. For instance, he convinces a person on the inside that he is someone who works for the company and that he needs his access restored. This can manifest itself in the form of a call to the help desk from someone pretending to be a company official whose password has expired and he needs it reset right now. Technicians have fallen prey to this trick and given out information that can be used to access the company’s information. This technique is used by phishers, who send an email telling the recipient that her credit card has been deactivated, and she needs to call a given number to have it reactivated. Upon calling, many have inadvertently given their card numbers and other information that allows the phisher to steal an identity.
Discretion is an important part of security -- on an individual basis or as an employee of a company -- as is ensuring that the person you may be talking with is actually who he says he is. Take some common-sense precautions, and you are less likely to be the victim of a security compromise.
Alan Hughes has more than 30 years of experience in IT including mainframes, programming, client/server, networks, project management, security, disaster recovery, information systems and hardware. He holds a master's degree in applied computer science and several certifications. He currently teaches information technology at the university level.