All Security Relies on Information Security

By Rodney J. Johnson
President, Prescient Consulting Inc.

Dear Readers, In light of the recent hacking incidents we've seen in Korea and abroad, we've invited our friend and security specialist, Mr. Rodney J. Johnson, President of Prescient Consulting, Inc. to shed some light on the subject in this month's newsletter.

- Steve McKinney

One of the mantra's of the modern day approach to thinking about security is that information security has a disproportionate impact on all security. All of the barriers, locks, cameras, and guards won't protect you if your company is leaking information. And if your company is like most companies, leaking information it most likely is.

Information security is security, because information leakages don't just lead to information security problems. They lead to security problems of all types. When it comes to IT security, today's hackers are persistent. They know that IT departments are maintained by equally skilled and persistent professionals. They know that software and hardware holes are rapidly plugged and that hacking computer systems is getting harder. So they are turning to what always worked before we had computers, and what still works today – attacking people. Read on

People are hacked in the same way they always have been, by gaining their trust and then betraying that trust. It is the role of small bits and pieces of leaked information in the gaining of that trust that we are concerned with here.

Traditionally, the phrase 'security through obscurity' has been looked down upon by security practitioners because it implied that all that needed to be done to ensure safety and security was to stay off the radar. Being obscure was often seen as leading to laziness in other security practices and since one cannot choose when obscurity ends (the bad guys choose that) then one will not be prepared when it does. Therefore, chasing obscurity as a solution to security problems was chasing the wrong goal.

While the above argument is certainly true - staying off the radar is not the only security measure necessary, the reverse is also true. Staying off the radar does make you safer. So long as information obscurity is maintained, security is definitely enhanced.

For security purposes, information security doesn't just mean keeping a tight grip on proprietary and confidential information and intellectual property. It means watching over things like employee lists, phone directories, appearance of company credentials, and company operating procedures. It means being careful with what we post online, how we use social networking sites, how and where we communicate, and how we dispose of our trash.  It means training your people in how to avoid being the prey of a social engineer, who will use already known information to gain trust and extract further information through that trust. Long-term persistent threats come from small handholds that grow to be big thresholds, through the piece by piece attainment of intelligence in the hands of a skilled analyst. One piece of information, attained by skilled social engineers, leads to the next. And the next. And the next. This is common knowledge to salesmen, researchers, and recruiters everywhere, who use small bits of knowledge, and a computer or phone, to obtain key information they seek about their business targets.

Being as careful as possible with even innocuous seeming information makes individuals and organizations a harder target. Assuming that a piece of information is harmless because it is small and non-confidential is a mistake. Assuming that company personnel know what information is important and what is not is a mistake. Assuming personnel can use common sense to fend off social engineering attacks is a mistake.

The case of the kidnapping of Ivan Kaspersky is a good example of how information security became a physical security problem. Kaspersky, the son of Russian IT security billionaire, Eugene Kaspersky, was kidnapped walking from his apartment in Moscow to his internship at a local software company when he was abducted. He was later released unharmed after the kidnappers were tricked by police into believing ransom had been paid. All of the perpetrators were arrested. Kaspersky had been abducted by a group of 5 who were led by an older couple who perpetrated the act because they were in debt. The case was so easily solved because the gang was composed of complete novices.

As first time kidnappers, the whole crew was amateurish in planning, executing, and completing the deed. It was later learned that they performed stalking surveillance on Kaspersky for several months prior to abducting him. During that time they attempted to learn his habits and daily routes of travel. They utilized the web and social media to get the surveillance started. Kaspersky had posted pictures of himself, along with information about his girlfriend, past addresses, place of work, and other personal information. It was ultimately Kaspersky's lack of management of his own information that led to his abduction by amateurs who would have otherwise been completely unable to profile him. His lack of information security awareness, coupled with lack of physical situational awareness, led to him becoming a hostage. Those first footholds found on the web, led to much greater danger, of a completely different type, down the line, as seemingly innocuous information led to real physical danger.

About McKinney Consulting: McKinney Consulting is an executive search firm (sometimes simplified as executive recruiters or headhunters) which has placed hundreds of bi-lingual middle-senior level executives for multinational companies in Korea & Asia and was established in 2001. McKinney Consulting is a member of the Association of Executive Search Consultants (AESC). In addition, McKinney Consulting provides behavioral-based coaching services with scientifically developed tools in coaching executives and businesses to excellence and success. McKinney Consulting coaches are members of the International Coaching Council. Also, McKinney offers Talent Management services such as the outsourcing of candidates and payroll services etc.