Information Breaches & Incidents

A review of government departmental information security by the Western Australian Auditor General demonstrates that throwing money at the problem is not enough – you also need a strategy, sound tactics and responsible operations.

A widespread payment card breach via the POS terminals of several US retail chains demonstrates the dangers of failing to impose standards on and supervise your outsource services.

Common characteristics of breaches at RSA, DigiNotar and the linux kernel archive cause us to recommend that third party online services should be required to publish the fact, if not the detail, of their security incidents.

What went wrong at DigiNotar? The catalogue of technical failures that contributed to the breach strongly suggest inadequate governance – and that breach closed them down permanently.

How do you judge the competence of experts? Every successful breach is ‘sophisticated’ – or is it? Nonsense and snake oil abound – particularly in the press – and unfocused Fear, Uncertainty and Doubt still dominate ‘expert’ pronouncements.

The fact that a non-technical Georgian grandmother could effortlessly disconnect the whole of Armenia from the internet suggests that infrastructure robustness requires some strategic thought.