Author: Michael Krausz
ISBN No: 9781 8492 85957
Review date: 28/04/2024
No of pages: 210
Publisher: IT Governance
Publisher URL:
http://www.itgovernance.co.uk/
Year of publication: 16/02/2015
Brief:
Managing Information Security Breaches - Studies from real life, second edition, by Michael Krausz. Published 2015 by IT Governance Publishing, 210 pages. Visit www.itgovernance.co.uk.
price
£24.95
For years we have had the British and then international standard for information security management, ISO 27001. What though if despite your work, you have an information security breach? As the author of a guide admits, it’s a ‘somewhat uncomfortable subject’. Michael Krausz in Managing Information Security Breaches talks us through what to do, how to investigate, when the ‘worst comes to the worst’.
The author does well to bring out how wide a net the information and IT security manager should cast, taking in not only computer network hacking but rants on social media that might damage reputations, or be a sign of insider trading; and what we might call old-fashioned security failures in physical site security or staff screening. This is, as the sub-title, ‘studies from real life’ suggests, a book for any security manager, not only the IT specialist.
That said, the very last case study in the book shows how hard it is to track a human – in this case an amateur trying to extort money from an online company, after pointing out a software flaw, making demands by email and putting defamatory videos on Youtube. If the hacker-extortionist uses stolen SIM cards and lives in a European country ‘with a rather weak judicial infrastructure’, the case could run and run. Such cases show at once how IT and the internet have made the business world and its risks international (the offender can be in one country, the extortion against a subsidiary in another, the investigators in a third country or indeed continent) and yet local (for filing a criminal complaint in the offender’s home country, a native speaker is essential, for instance to apply ‘social engineering’ to head off the extortionist). Silencing a threat – getting videos taken off Youtube – may take lawyers, IT and private investigators, then.
Krausz, an IT security trainer and auditor, writes in terms of risk and the current, 2013 edition of that 27001 standard. As with any security or indeed other risk, you analyse; you avoid or accept or mitigate for those risks, and you keep reviewing your ‘risk profile’. In this case you are asking what are the events that could seriously damage your company’s information assets, and their confidentiality, availability and integrity.
You might prefer to skip to the second half of the book, of case studies from small, medium and large firms, covering everything from stolen hardware (laptop or back-up) and faxes eavesdropped (surely one for the history books?!) and more human threats such as the manager who changes jobs, or the thieving guard. Some risks are not strictly security but damage the assets just the same, such as a flood. These case studies, like the standard 27001, bring together what you might call the traditional security risks (physical protection of the pieces of kit that the data sit on) and IT (such as malware or domain links that harm the company’s reputation). The motives remain the same, whether the fraud or theft is old-fashioned or new-tech, insiders or outsiders wanting to enrich themselves at the organisation’s expense.
While understandably the case studies are not identified, they do give a rounded picture of the IT and information security field. For instance, you might imagine – or It might have you believe – that IT security like IT is a black or white, zeroes and ones, right or wrong world of things working or not. Except Krausz offers the case of a web domain owner sending traffic to a company through a derogatory or defamatory website. An investigator using standard IT tools found the offender – who was already in prison. As the prisoner was doing good business with the company, and merely abusing the business model, the company decided to leave it be – at least until the offender came out of jail. The breach – or rather an incident, which may be a matter of ethics rather than a case for a court of law – is unresolved.
Another case, ‘the trusted guard who was not’, tells of a defence sector company’s gatehouse guard who had a conviction for computer fraud. The security contractor had not done a background check, and the guard had kept quiet about his past. The guard began to connect his laptop to the company network, and thanks to predictable passwords found some online banking IDs, and PIN and other numbers. The guard made some bank transfers, ‘substantial, but not really high enough to arouse suspicion’, only they happened on a Friday, and the company chief financial officer knew that he never made transfers on a Friday. The guard was convicted, the guard contract terminated and the IT manager fired. Krausz however notes another case when the contractor offered to pay for the damage and fired the guard, to keep the medial profile low, rather than reporting anything or rather anyone to the police. As Krausz points out, while the company made IT-related mistakes, the ‘essential and basically unforgivable mistake’ was by the contract guard firm not making the check of the guard’s background. Put another way, seldom is there one vulnerability; the thief takes advantage of more than one.
Or, you might want to skip to the end and the eight-page ‘sample treatment process’ as an aide memoire to dealing with a security breach of any sort. However much or little you dive into this book, then, it’s an interesting, important and relevant work.
