Yesterday it was widely reported that 15 hostages held by Colombia’s Marxist guerrillas for as long as 6 years were freed after some very brave and daring commandos posed as being part of the guerrilla group.
The news reports described it as a stunning rescue, and it definitely was that; quite stunning!
As we watched the numerous news reports about it, I spoke with my boys about the tactics they used to get the hostages freed.
Recently I’ve been creating social engineering training content along with a social engineering awareness assessment tool, and something I found remarkable about the rescue was how it used social engineering to its full affect to rescue the hostages.
Some of the tactics in this situation included:
Posts Tagged ‘policies and procedures’
Just Because Security Is Simple Doesn’t Mean People Will Do It
Thursday, July 3rd, 2008Texas EZPawn Throws Away Its Security Promises and Customers’ Privacy and Gets A Handed A Significant Penalty
Wednesday, July 2nd, 2008Well, here is yet another company that had a nasty habit of just throwing papers containing their customers’ personally identifiable information (PII) into publicly accessible trash cans.
On June 24 a Texas judge handed down a civil penalty of $600,000 against Texas EZPawn for tossing their customer PII, including Social Security numbers, bank account information, driver’s license numbers, date of birth, and other identifying information, into their trash cans without first irreversibly and completely shredding the papers. You can see an example of the types of records found in the trash in the court documents.
Information Security and Privacy Convergence Is Nothing New…Both Areas MUST Collaborate
Tuesday, July 1st, 2008The comparatively new awareness of the need for information security and privacy convergence and collaboration has actually existed for many years. I first experienced this firsthand in the first half of the 1990’s when I was responsible for information security in a multinational financial and insurance company. The company launched one of the very first online banks, and I was establishing the security requirements when I saw the need to address the privacy aspects. This was before the passage of GLBA or HIPAA, but I knew that a few bills addressing privacy had been being considered, not only in the U.S. but also worldwide, and that the OECD privacy principles were the basis for many of the privacy requirements.
Where And How Do You Dispose Of Your Cell Phones and Paper Documents?
Monday, June 30th, 2008Something I’m planning to do this summer with my sons is to do some dumpster diving, with the advice of my police and security services company owner friends, to see just how much personal information is left out for just anyone walking by to pick up and use, or misuse. We’ll also see about any cell phones that were just dropped in the dumpster or trash can…
How do you dispose of your cell phones? At work, and at home? And what do you do with the papers that contain personally identifiable information (PII) and other sensitive information when you throw them away? Are you more diligent at work? Or at home?
With this in mind, here’s another section from the third article in my June issue of “IT Compliance in Realtime“…
Where And How Do You Dispose Of Your Computers, CDs, USB Drives, Etc.?
Sunday, June 29th, 2008In the past few years I’ve performed over 100 information security and privacy program reviews for the vendors and business partners of my clients, and I have often found these contracted organizations have lax to non-existent to outragiously irresponsible computer and electronic storage device disposal practices. One of the “information security” policies for one of the vendors actually directed their personnel to try to sell their old computers and storage devices on e-Bay or other online sites in order to recoup some of the costs…this was in their “Information Disposal Security Policy”! It had absolutely no mention of removing the data before trying to sell the devices; the main intent was to recoup as much of the investment as possible.
With this in mind, here’s another section from the third article in my June issue of “IT Compliance in Realtime“…
Where And How Do You Dispose Of Your Computers, CDs, USB Drives, Etc.?
Sunday, June 29th, 2008In the past few years I’ve performed over 100 information security and privacy program reviews for the vendors and business partners of my clients, and I have often found these contracted organizations have lax to non-existent to outragiously irresponsible computer and electronic storage device disposal practices. One of the “information security” policies for one of the vendors actually directed their personnel to try to sell their old computers and storage devices on e-Bay or other online sites in order to recoup some of the costs…this was in their “Information Disposal Security Policy”! It had absolutely no mention of removing the data before trying to sell the devices; the main intent was to recoup as much of the investment as possible.
With this in mind, here’s another section from the third article in my June issue of “IT Compliance in Realtime“…
More Wifi Security At Home Than At Work?
Friday, June 27th, 2008Last week I posted about how, while driving my sons into town for Noah to attend band camp, they found 100+ wifi hotspots, and only 12 of them were secured according to their macbook lock icons.
This was in a primarily business area, with lots of small to medium sized businesses along the road, strip mall type of shops, and a large shopping mall.
This week while driving my sons into a different part of town for Heath to attend
Disposal of Computers
Thursday, June 26th, 2008Time to post some of the info from the 3rd of the articles from my June issue of “IT Compliance in Realtime Journal” before the month is over!
The 3rd article is “What to Tell Personnel: Disposal Security and Privacy.”
Here is a section from the article…
Tools <> Technology
Wednesday, June 25th, 2008I participate in the LinkedIn community, and I occasionally put out short “status” messages when I’m working on products, projects or going to provide training. My current “status update” statement is, “Rebecca is creating tools to support information security, privacy and compliance management and leadership.” (I’m really excited about these tools…I know they work!)
I received a message regarding this status update from one of my LinkedIn contacts. Here’s an excerpt…
