7 November, 2005
By Robert Dutt

It's no secret that security is one of the hottest spaces of the information technology world, with companies spending billions on solutions to security headaches like phishing, pharming, keyloggers and "blended threat" malware.
But a new list published by security vendor Secure Computing points that not all of today's security risks come from technically sophisticated challenges. In fact, some respond to much more basic parts of human nature.

Social engineering came in first on the company's list, and is one of the oldest tactics in the malware author's toolkit. A well-written virus goes a long way. It goes even further when it promises forbidden images from within Abu Gharib, or of nude Russian tennis stars. Many people online will misrepresent themselves for their gain, so train employees to be careful about who they give what information to.

"Shoulder surfing" comes in second, the familiar tactic of reading your PIN over your shoulder, or using a sidelong glance to gain business information from an open spreadsheet. Simply make sure your employees are careful about shielding their paperwork, their keypad or their computer screen using their body, and make sure people are keeping an eye out for folks who are getting suspiciously close at inopportune times.

Sure, you love your friends, family and co-workers. But they still come in number three on the list -- a 2005 study from the Better Business Bureau shows that most cases of identity theft come from someone the victim knows. Take a page out of wartime posters here -- loose lips really do sink ships, and the boat going down could be your own.

When it's not someone you know who perpetrates identity theft, there's a good chance it could be the work of number four on the list -- dumpster diving. It happens to the best of us. Even banks are under increasing pressure to make sure that documents, even those as simple as ATM receipts, are properly disposed of. When in doubt, shred it before it leaves your workplace.

Mobility, and the ability to take copious amounts of data and information with you, is a great thing. But every day, it's estimated that 25,000 personal digital assistants go missing, many of them with sensitive corporate data, and just one stolen laptop can divulge a lot of sensitive information to the wrong people. Either don't let that information leave your premises, or make sure it's well-encrypted before it does.

It's important to be able to print out documents, but be careful with what employees are printing, even consider restricting their ability to print sensitive information. You never know -- according to many reports, a criminal group in New Jersey recently stole the details of more than 675,000 customers simply by getting bank employees to pull up account data, and print out the information.

A lot of data is lost in transit, on its way to backup offsite. Make sure that data that you're sending out on disks and tapes are accounted for every step of the way. Oh, and encrypt data while it's en route, just to be sure.

We've all seen people who have little yellow sticky notes all over their monitor. That's fine when they're full of reminders to work on an important project, the time of a meeting, or to pick up eggs and cheese on the way home. But a little sticky note can also defeat the best-planned security practices, if it contains a user's password information. Consider using some other form of authentication, or at least, make sure employees know not to put their password on their stickies.

Search engines are powerful tools. So powerful that hackers can easily harvest thousands of credit card numbers and other important pieces of identity just by using one. Individuals should search for their credit card and Social Insurance numbers every now and again, and if they find them, notify the offending Web site to get them taken down. Businesses should do a regular audit of what information is actually accessible via their Web site, and get anything that shouldn't be public information off of those sties.

Rounding out the list is simple burglary. It's doubtless a pain when someone breaks into the office and swipes a computer. But it becomes far more painful when that computer is full of identity-revealing information or financial data for employees or customers. Make sure your facilities are secure, and once again, encrypt sensitive data, just in case.

Reprinted by permission of Integrated mar.com (integratedmar.com), EchannelLine © Copyright 2005 Integratedmar.com Corporation.