Weeding Out the Unprepared.

Ongoing process improvement is an often overlooked and important element of every security program. It is not enough to identify a vulnerability and implement remediation, if you do not also ensure that the asset and risk assessment is all reviewed again on a regular schedule. This is often considered the mark of a true security program...rather a collection of security activities. If you work in a regulated industry or submit to other types of audits, ongoing process improvement is almost always one of the "weeder" items on the checklist. Remember college, where there was always that one course that weeded out the less talented students. The same applies to ongoing process improvement, the audit checklist and security.

Why Convergence?

Physical security and data security organizations typically work independently of each other. You know this to be true since you see at every company you have ever worked at, unless it is IBM, Microsoft and just a handful of others. Well, let's take a look at some obvious security events that never get detected in the typical (unconverged) environment:
1. Bob does not badge in to work today, but someone accesses data and applications normally used by Bob. This is probably not a security event in your company.
2. Bob gets up from his computer workstation, leaves the building to go home for the night. He even badges out. Bob’s computer continues to run just as though he went down the hall to use the restroom. Would this be true at your company?
3. Bob works in customer support, yet he uses the computers his department to access files that are normally accesses only by people in accounting. These two departments are on separate floors of the building. Would this be a security event in your organization?

These three examples illustrate how the separation of physical security and data security creates a set of vulnerabilities that ought to embarrass any security organization that claims to have performed a risk assessment

.

Sopranos Go After the Data

Have you every watched the Sapranos on television? Or , any mafia movie for that matter? They seem to always be hijacking trucks: What are they after? Well, they steal cigarettes, razor blades, electronics: Things that are easily converted into cash. These are called fungible items.

In today's world, financial identities are fungible items. A good financial identity will get $2 on the open Internet. Moreover, there are a number of scams that allow less than $10,000 to be converted into $1.5 million with virtually no risk of being caught.

I am not writing this to encourage any of you to get into the Internet scam business. Rather, I write this to underscore why so many businesses and individuals are under very intense attack over those financial identities. These attacks are increasing and will be looking for new targets and new victims.