05 Feb 2013 How Safe Is Your Data From Theft?
Wait, you’ve never heard of him?
OK, let me recap events for those of you that may not be old enough to remember everything that led to Schneider’s arrest on February 8th, 1972.
It all started with some dumpster diving. But Schneider wasn’t looking for food. He was looking for spare parts. Schneider knew that the phone company would throw away used and broken equipment. So he would jump into a dumpster full of phone parts and scavenge for whatever he could find. If he could fix it up and sell it then all the better.
What he didn’t count on finding was all that paper.
Along with the used and broken equipment the dumpsters often contained old invoices. Schneider found them curious enough at first and started collecting them to see if he could learn more about how the phone company would process equipment orders. Over time he did just that and soon he learned enough about ordering process that he could call the telephone company and impersonate an employee. He would ask a few questions and obtain even more details on procedures. Eventually he managed to get a tour of the warehouse by pretending to be a freelance journalist.
Then in June of 1971 he placed an order for $30,000 worth of equipment to be dropped off at a construction site. Jerry was right there to collect it and promptly sold it for a nice profit.
Because this crime involved computers to some degree (the invoices were computer printouts, and the ordering process was computerized) this crime was labeled a “computer crime”. I say it is more of a social engineering crime which is really just the modern way of saying “con-artist”. At the time this crime was one of the largest computer crimes with Schneider having stolen about $900,000 worth of equipment.
How did he get caught? Business was so good for Jerry that he needed to take on a partner. When the partner found out the details of the business he demanded a hefty increase in his salary. Jerry refused, the partner went to the cops, and that was the end of it.
What Have We Learned?
It’s been forty-one years since that happened. What have we learned in that time?
First, social engineering hasn’t gone away. It never will, either. What comes and goes is the awareness to social engineering and what information you are sharing with someone, even close friends and family. During times of war (i.e. WWII) it was quite common to not say one word about what you were doing on a daily basis not even to your family let alone strangers that struck up a conversation at a coffee shop.
Second, people still throw away pieces of paper with valuable information on them. You know those credit card applications you get in the mail, the ones that have your personal details already pre-filled on the application form? Are you shredding those or just tossing them in the recycle bin? If you are not shredding those applications then don’t be too surprised when you find yourself the victim of identity theft one day.
Third, employees take their work, and data, home with them all the time. Often times they and up losing a laptop, perhaps even having it stolen, and BOOM! a few hundred thousand customers end up with a nice form letter from the company legal team informing them that there was a security breach.
When In Doubt, Don’t
That quote is attributed to Benjamin Franklin and I believe it sums up just about everything when it comes to data security. If you ever have a doubt about your data being secure, stop. Get up off your arse and determine if a problem exists and then determine what you can do about it.
Here’s a list of five things you can be doing today to help put your mind at ease. They aren’t foolproof, but they are likely to help you help your company from being named in a lengthy lawsuit.
- Encrypt The Data – You can use tools like BitLocker to protect your disk drives and most database platforms offer some type of encryption protection such as Transparent Data Encryption (TDE). If you aren’t making the minimum effort to encrypt your data then you deserve your fate.
- Most Email Is Not Secure – Do you send each and every email in an encrypted state? Are you comfortable with those reports being embedded in emails? No? Then stop sending them as attachments, and start sending just the link to the URL where the report resides on a network share or in a portal like Sharepoint.
- Trust, But Verify – If you don’t know a person then don’t give them access to information no matter how nicely they ask. If someone persists on getting access then do a little legwork and verify that their request is valid. You owe it to your data to verify that the person is authorized to see the information they are asking about. The days of giving someone full access are over. Sure, I know it’s the easiest thing to do, but it is not the right thing to do.
- Save A Tree – Are you printing out your emails like it was 1999 and you needed to save a hard copy of everything just in case some men dressed in black show up and ask to see your files? Stop. Just stop it. And whatever documents you are printing out you should shred whenever you are done with them. Don’t even think twice about this part, just shred.
- Ask Yourself “What If?” – What if that piece of data got loose? What if someone outside the company was reading this old invoice? What’s the worst that can happen? By asking yourself that question you are more than likely going to find yourself understanding that every piece of data needs to be treated as if it was the most important piece of data. Guard it as if the future of your company depended on it’s privacy remaining intact.
Every day it seems a new story comes out regarding data theft, data security, and data breaches. It’s like we are back in 1972 again, except without the bell-bottom jeans. People seemed surprised that data theft continues to happen. I think part of the reason is because most security systems are designed and focused on preventing hackers from breaking in that they don’t understand the real dangers for allowing data to simply walk away on something like a USB stick.
Or even an invoice.