Why I care and why you should care, too

At the 2007 InformationWeek conference, the CEO of McAfee announced that the value of cybercrime reached $104B USD annually.  This surpassed the value of global wholesale illicit drug trade.

I have reservations about both of these numbers. However, even if we believe that these numbers are only correct to an order of magnitude, we still see an immense problem.

I can give a variety of statistics and theories and the-sky-is-falling rants but let’s think about a couple particular examples.

1) The Corporate Whistleblower

Alice wants to expose corporate wrongdoing but has a family to support. She can’t affort to lose her job.

Alice finds the data, plugs in a USB drive containing PGP, finds the public key for the Attorney General and encrypts the data using the AG’s key. Anyone searching her computer would only find gibberish. At this point, the original data remains untouched on the company server. The copy is only readable by the AG.

Alice launches Privoxy and Tor to disguise her connection to her gmail account. Corporate spies can see her outbound communication to the first proxy but can’t tell that she’s connecting to her email.

Alice sends the data to the AG, closes her net connections and wipes the file and free space on her hard drive.

Most corporate IT teams will not even register that anything unusual happened. Those that do would have a hard time figuring out exactly what. A few very paranoid and very skilled teams will be able to identify Alice as the source of the leak.

2) The Hungry Sales Agent

Bob is a life insurance agent for a nationwide firm. His client files including a lot of personal and sensitive information reside on his laptop. This makes it easy for Bob and saves him the trouble of logging into the corporate VPN.

Bob is at a corporate client’s site and finishes his morning session with management. He leaves his laptop and briefcase in the conference room. Fifteen minutes later, lunch in hand, Bob returns to find his laptop missing.

The thief, Eve, reboots to a custom operating system from her CD. She quickly downloads the client data and packages it to sell to identity thieves. Eve wipes the computer and sells it for a couple hundred bucks.

Three months later, customers of this firm receive a notice that their personal data may have been compromised and are advised to hire a credit monitoring service. In most cases, the damage will already have been done.

(This actually happened to me. Even large companies show remarkable apathy towards the danger that their clients face. I start getting notices when I’m 30 days late paying a $30 cable bill. A Fortune 500 has no excuse waiting three months when my personal credit and personal reputation are at stake.)

The bottom line is this: The proper implementation of information security allows people live their lives free of interference from those who do wrong. It is as basic as the latch on your window and the lock on your door.