On my agenda today is a number (seven: seven's a good number) of recurring issues, myths and other foolishness having to do with my profession. I keep coming across these brain dumps, wondering why, whom and how. If you ever accidentally come across such alarmist articles that talk about threats without really telling you anything, you'll know what I mean. To wit:

1. Did you know: 80% of hacking attacks are internal, 50% are external, 95% are wireless, 45% are targeted, 75% target your identity, 25% are successful, a third come from Asia, etc. Did you know that 57.4% of statistics are made up? This is particularly applicable to the world of security statistics, where lack of measurability is a large part of the problem.

2. Spam! What are we going to do about the spam epidemic? 5 years later, spam continues to be top-of-mind for many people. Spammers are being thrown in jail at an unprecedented rate while hackers continue to happily infect computers through unpatched Windows holes, your always-on instant messenger and their favorite: Web site banner ads. Got a problem with spam? Stop panicking! It really isn't a big deal. Contact me and I'll suggest that you pick up a free Bayesian filter. As a bonus, you get to train it yourself. One person's spam is another's ham.

3. Technology will protect us. You think? If you were a hacker and knew that the Symantec Security Suite is the most popular product on the market, would you be releasing that latest trojan before making sure it defeats the most popular security products out there? I wouldn't. I doubt you would either. If I was risking my anonymity to launch one of over 1200 known pieces of malicious software (released through the Internet each month), I would make sure that mine has the best chance of infecting computers and defeating your favorite anti-virus tool. Get my drift?

4.  Hackers won't target me. Why would they? Welcome to 2007! There's no such thing as a 'non-targeted' attack. Every new trojan, phishing email and piece of spyware has a point, a purpose and a target. That target may be you if you happen to fit the bill. Let's see. If you're like most people, you come across banner ads but don't click on them, you occasionally open emails you think you recognize and you instinctively click the Close or X button to get rid of a pop-up window. There you go. You're a target. That's not to say that office administrators in charge of purchasing office supplies with the corporate credit card or seniors with a penchant for eBingo are not an even bigger target...

5. A built-in firewall and anti-virus program are all the protection I need, especially since all I do is surf the Web and use email.  Really? See #3.  I see this all the time. The idea is to fight fire with fire, but most people don't realize that malicious software is light years ahead of their built-in Windows firewall and the signature-based anti-virus software (see also: headline #7 below). It's not about fear. It's simply about using the right tools (and certainly not about using all the tools at once). For the most part, great security software is still free - at least for non-commercial use. Use it.

6. Your information is safe with them, because this call is being recorded. Why do you trust companies with your credit card number and personal information? Do you believe they can take care of your information? Not really. Do you believe that a company will hire security professionals to put a proper security program in place? Sometimes, but it really only happens as a result of something you really don't want to know about. No one will protect your information as well as you, so keep your cards tight to your chest and don't hesitate to ask if it's really necessary to give out your SIN, what the process is for disposing of your information, etc. Think of it as lending a valuable object, better yet, think of it as a towel; you wouldn't want it back if you knew the entire neighbourhood wiped their armpits with it.

7. Whatever you do, don't ever write your password down. Ever!
Why? Loyal readers will remember that I'm a bit of an iconoclast when it comes to passwords. I prefer to write them down instead of forgetting them, or choosing something trivial. The idea is that you will protect your wallet more than just about any other piece of property, while on the road, so if you really need to have a password with you, just write it down - in a discrete, unclear and obfuscated way of course - and keep it in your wallet. This gives you the freedom of choosing a complex password and the peace of mind from not having to worry about forgetting it.

That's it for this month. If you're a home user, I hope you've read between the lines and got some tips such as mixing the types and brands of security software you rely on (without introducing redundancy and overlapping tools).

If you run a company, visit the Informatica site and click on Self-Assessment. It's a confidential way to see how good you are at protecting information and keeping your business assets safe. Don't worry, I'll never know how badly you did. All I can do is imagine it!..

Enjoy and remember to share,
Claudiu Popa,
your humble scribe
information risk consultant

THIS MONTH'S HAND-PICKED HEADLINES

"Elements of the OSD unclassified e-mail system were taken offline yesterday afternoon due to a detected penetration. Between 1,000 and 1,500 users of the system were taken offline" US Defense Secretary Robert Gates said, using an acronym for the Office of the Secretary of Defense.

 "What does this mean? It means terrorists or nation states could be hacking Department of Homeland Security databases, changing or altering names to allow them access to this country, and we wouldn't even know they were doing it," said Representative James Langevin.

"We obviously have redundant systems in place, and there's no anticipated adverse impact on ongoing operations," Gates said. "There will be some administrative disruptions and personal inconveniences. But, as I say, we get perhaps hundreds of attacks a day," When asked if his own e-mail account was affected, Gates said: "I don't do e-mail. I'm a very low-tech person." more

5.  Los Alamos security breach may have exposed nuclear secrets, but don't worry...

A critical security breach that may have exposed nuclear secrets at the Los Alamos National Laboratory (LANL) in January was the result of human error and not a breakdown in security processes. The "unintentional security incident" resulted in the transmission of sensitive information through an unsecured e-mail system, Samuel Bodman, secretary of the U.S. Department of Energy (DOE), said in a letter to Congress. more

6.  Can you tune into the washroom video feed at a drug clinic?

A live video image of a woman providing a urine sample at a washroom in a methadone clinic in Sudbury, Ont. was accidentally intercepted by a backup camera in a vehicle that was driving by the clinic. more

7. How far ahead are the hackers? Quite.

In layman's terms, here's a top 10 list of reasons why hackers are way, way ahead of the game. Top 2 according to me? You don't have to be a genius to be malicious and trial-and-error is now a thing of the past - money talks,  more

8. Bush doesn't trust effusive Albanians with his wristwatch

One moment President Bush was glad-handing Albanians on Sunday, proudly sporting a watch with a dark strap on his left wrist. Moments later, it was gone. more

Photographs showed Bush, surrounded by five bodyguards, putting his hands behind his back so one of the bodyguards could remove his watch. Smooth!

9. Google: world's biggest privacy threat?

In a recently published study by Privacy International, Google got top marks for being a global threat to privacy. Read all about it. Granted, it's not alone. AOL, eBay, Facebook, Amazon are all included, but Google set off the most bells by far! No time to worry about privacy? Here's a summary..

10. 111 Arrested. Did you think the Nigerian Scam was just a guy in an Internet cafe?

111 people were arrested for being in the Netherlands illegally and "now we must investigate in what way they are implicated in Internet fraud." more

11. Umm.. Is your data leaking?

(Computerworld) -- Beware: your data may be leaking. According to a recently published IDC security survey, the threat of data seeping out of a company through innocent employee messaging activity is on the rise.

That's the most surprising finding of a study titled "Worldwide Information Protection and Control (IPC) 2007-2011 Forecast and Analysis: Securing the World's New Currency." This inadvertent leakage threat has risen to fourth in importance behind viruses, spyware, and spam, while intentional theft by employees with a criminal or otherwise malicious agenda has actually fallen in rank, and now sits in seventh position.. More

12. What to look for this month on InformationSecurityCanada.com:

1. A new menu structure
2. New services specific to Call centres and Blackberry security
3. New downloadable white papers on anti-keyloggers and ID theft protection.
(get these and others from the link below)

Main Site | White Papers | Free Software | News & Articles | Forward to a Friend

About your humble scribe: Claudiu Popa is a certified security professional (CISSP, PMP, CISA) and president of Informatica Corporation, a Toronto-based consulting company with a strong focus on education. Over the past decade, Claudiu has focused on helping companies improve their information security. Today, he brings effective security to corporate boardrooms, helping organizations manage security, awareness and compliance programs. Claudiu can be contacted by simply replying to this message (and he promises not to respond in the third person).  He welcomes your suggestions and comments regarding this publication.

use this link to subscribe.