Failures of Information Security: Observing the World and Asking Why

By Adam Shostack and Andrew Stewart, Addison-Wesley Professional |  Security, data breach, information security

Specialists refer to self-propagating network viruses as worms. On November 2, 1988, Robert Morris, Jr., a student at Cornell University, released the first internet worm. Morris claimed that his intention was not to create damage, but to attempt to determine the size of the internet at the time. It had a bug that caused it to infect machines too quickly. The Morris Worm, as it became known, pre-dated a raft of damaging internet worms that took root on the internet and within enterprise networks from 2001 onward. There was no fundamental difference between the methodology or techniques used by those modern incarnations of worms and the original Morris Worm. (The Morris Worm targeted the most popular operating systems on the internet, just as subsequent worms have done.) A decade passed between the Morris Worm and those later incarnations.

Viruses, worms, adware, and other hostile code are now lumped together under the generic term malware, meaning software that no one wants around. We have gained more knowledge of malware, and the defensive technologies we can employ have become more robust. But modernity is little consolation if we continue to fall victim to the same problems.

Security Breaches

In mid-2006, the New York Times and the Associated Press revealed that a laptop containing the personal information of 26.5 million U.S. veterans had been stolen. This is about 9% of the U.S. population. The 26.5 million individuals who were affected were all living veterans who had been discharged since 1976. When the data breach was announced, much uproar occurred in the press and among veterans. The question most often asked was, how could this happen? The reality was that many other organizations of all sorts and sizes have suffered similar breaches in their information security. The organizations affected by these security breaches range from government departments to nonprofit organizations and multinational corporations. Only some states require companies to publicly disclose breaches. Reports are most prominent (or at least most visible) in the English-speaking world, so we are most able to discuss breaches that affect Americans.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness