This security incident, the latest in a long line of similar occurrences, got me thinking: Sometimes asking the right questions is more important than getting the right answers. Of course, for those directly affected by this breach, that's really neither here nor there. (Roughly 750 individual cases of identity theft have emerged due to this incident.)
But for the rest of us, for whom a similar breach is all too possible, it's something to think about. Sometimes the mere exercise of questioning how someone might exploit a system--no matter how dubious or obscure the method--can help prevent it from actually happening. This type of brainstorming can expose weaknesses that the company needs to address.
Secure computing today depends on so many more factors than just taking care of your organization's own security. And that means companies can't just base their entire security strategy on depending on Windows Update and antivirus signatures to do their jobs.
Internet security is about more than installing a firewall, disabling cookies, running anti-spyware software, and not opening e-mail attachments from people you don't know. It also means knowing when other people aren't doing these things--and doing something about it. And that requires becoming actively involved not only with keeping software secured and updated, but recognizing and understanding Internet security trends as a whole.
It's become apparent to me that ChoicePoint wasn't asking the right questions about its Internet security--particularly since confidential consumer information is this company's bread and butter. Large, centralized databases represent one of the biggest threats of Internet security. These online databases of personal information are excellent targets for predators because they provide the most access to information with the least amount of work.
And as such a large information broker, ChoicePoint should have recognized--and tried to prepare for--this threat. Unfortunately, too many companies, lacking a real understanding of Internet security, depend too much on the claims and opinions of others without delving too much into researching security.
Of course, Internet security is a vast, complicated topic. It involves so many aspects that it's impossible for anyone to know all the answers. And yes, that includes me. While I try to be as accurate as possible and offer helpful information about Internet security, I don't have all the answers--no one does. But again, sometimes it's better to ask the questions.
I receive a lot of feedback from readers about this newsletter, and I read every message. And of course, not everyone agrees with my take on Internet security. But that doesn't bother me; I appreciate all of the feedback--good and bad.
I'd much rather provoke readers to ask more questions about their own organization's security. Companies are the best source of insight into their own security. In my opinion, it's vital that we continue to question any and all methods and devices designed to improve computer security because someone else is already out there questioning how to defeat it.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.