There are several aspects of Security.
A Secure Channel is based on the concept that it is difficult if not impossible to access the messages passing through the channel. At one extreme is a dedicated channel with reliable protocols for handshaking (hardware, software) to start a communication session and to maintain the session for a specified period.
A Secure Message adds another level of security (if used with a Secure Channel). A secure message is based on the concept that it should be difficult if not impossible to intercept or access the message and decrypt it within a reasonable time. An assumption is that the value of a message is time-bounded and the system that generates it guarantee the security for a secified period.
If the sensitive data in the repository (data base, servers) and the media can be “disguised” (using cryptography …), yet another level of security can be achieved.
Securing data requires time, resource and adherence to privacy rules, ethics. Even some large corporations (e.g. which maintain credit scores) are lax in guarding the information of their employees and clients.
In this part of the world, three companies “collect and monitor data” to determine if a person is “credit worthy”. They provide a FICO score that is used by companies and institutions to determine the “risk level” of a person applying for a “loan” (perhaps to buy a house).
Sad to say, one company was presumably STINGY or not “technologically savvy” to provide “multiple line of defense” against intruders. Even after two of its subsidiaries were hacked”, the company did NOT report the intrusion to its customers and the general public, most of whom now have to figure what “lies ahead” with their precious private data (such as social security number, credit cards …) “stolen”.
Could this incident have been prevented?
Security Breaches and Possible Prevention
Many years ago, I had to use a “smart card” to enter the office building and to access computers. We were told NOT to use SSN and sensitive information in e-mails. We had to refrain from “printing” documents heedlessly, and to shred” them (or put in “special bins for shredding later”). We had to take courses about
- handling different types of data (private, sensitive, classified …)
- secure communication channels and/or secure data
One company developed software to “encrypt” or “replace” sensitive data from e-mails, files, database. The “test” environment has to ensure that no sensitive data is “leaked”. A subtle assumption is that “insiders” may explicitly or implicitly be “partners in crime”.
The following are some incidents that happened :
- The backup tape for “personnel data” went missing.
The affected personnel had great pains to “correct” their profile
- Lap tops containing sensitive information were stolen.
The information were not encrypted, or encryption with “weak” keys
- Without a unique “national” ID, many companies and institutions
use SSN for storing/access records.
Example : A professor posted Social Security Numbers of the students along with the grades.
A few mischievous students started “identity theft”.
- “Phishing attacks” or “malicious companies set up with the intention of getting credit reports from unwary job seekers.
- A credit card was used “in rapid succession” at a different state or outside the country.
Some credit card companies are good in sending “alerts” about “fraudulent uses”.
- There were attacks on the Open SSL.
The “bug fix” made by a “professor” was NOT properly reviewed and validated.
I have touched only the surface of the “security problem”.
Professor Dr. Than Tun was asked “Why should we learn History?”
He replied, “To ensure that one is not stupid or dumb”.
To paraphrase, “Why should we learn about Computer & Data Security?”
“To save countless people from having sleepless nights. Losing one’s identity, assets … is intolerable”.
U Khin Maung Zaw (KMZ, EC76) wrote :
One of the first work items on the Data Security is the classification of the data, it depends on what kind (or items) of data is collected/stored in a given application, At some point, it is termed ‘Data Asset’ and have several categories as below.
HBI – High Business Impact
MBI – Medium Business Impact
LBI – Low Business Impact
PII – Personally Identifiable Information
HSPII – Highly Sensitive PII
Of course, the above is not the exhaustive list, and is UN, HIPAA – Health Insurance Portability and Accountability Act, has one of the strictest regulatory requirements.