Ask Dr. G.

Mama Gigabytes favorite son Dr. Gigabyte is ready, willing, andable to help your company prevent cyber lowlifes from accessingproprietary information. But have the major movers and shakerstaken advantage of his indisputably vastnot to mention freestoresof knowledge? N-o-o-o-o! The result? Corporate fiascos and theletter below. Take heed now!

Dear Dr. G.: I received a pen with the ChoicePoint logo at atrade show last year. Should I be ashamed to use it?
Sincere in Cincinnati

Dear Sincere: A pen? How tacky. I would think maybe aBluetooth-enabled virtual keyboard would make a much nicertchotchke. In fact, Dr. G. is in need of such a device. If you haveone, please send it on to Dr. G. for evaluation.

ChoicePoint . . . hmmm. The nations premier source of data ismaking quite a name for itself these days. A Nigerian national justwas sentenced to five-and-a-half years in prison for illegallyobtaining personal information from ChoicePoint some four yearsago. Then earlier this year, we found at least 145,000 customerprofiles had been fraudulently obtained from ChoicePoint bycriminals posing as legitimate businesses. Just in recent weeks, alead story on MSNBC reported ChoicePoint data files may be riddledwith errors, omissions, and wrong data. This is some data company.I think it must be using the tried-and-true keep all our data inshoeboxes schema.

Back to the question. Should Sincere avoid using the

ChoicePoint pen? Duh!

There actually are at least two different issues here:protecting consumer data and identity theft. Notice I said consumerdata. ChoicePoint did not lose customer dataits customers are anyone of thousands of companies and government agencies that want toknow more about their clients, customers, or employees. Theimmediate assumption when we hear about data theft is hackers! Ofcourse, that conclusion usually is wrong. The weak link is andalways will be humans. ChoicePoint willingly gave up its data topeople posing as legitimate businesses.

So, to preserve the integrity and security of sensitive data, weneed a top-down corporate strategy. Data security is not just an ITissue. In fact, electronic security is only one small piece of thepicture, even though it is the piece in the limelight. What wouldhave happened if the latest round of data loss from ChoicePoint hadoccurred because some 17-year-old propeller head hacked a database?Heads would have rolled, starting from the top. It apparently isacceptable to have a flawed business model where criminals can poseas customers and snatch your data, but I guarantee you, it is notacceptable to have a flawed electronic security model.

The electronic risk is potential hacking of sensitive databasesthemselves. It is a given if we are going to conduct businessonline, there must be some sort of data connections between ourport 80 window to the world and the data we want to protect. Datacan and should be encrypted, but anyone who can hack the boxprobably can get access to login information or encryption schemes.The best security is intelligent system architecture. Keep the dataat least three physical boxes away from the world. It apparently isvery easy to gain access to Windows servers using one of themultitudes of buffer attacks. The trick is to bounce data accessthrough some middleware on another box and then on to the database.If unauthorized parties can get through your firewall andcompromise your outward-facing servers, at least make sure theycant go beyond that level.

The second issue Dr. G. targets here is identity theft. What isit? If someone steals your credit-card number and buys 15television sets, is that identity theft? This actually happened toDr. G. The thieves stole Mrs. G.s purse and immediately went to anational department store chain where they attempted to purchase 15TVs. Unfortunately, the quantity put the card over limit, so theykept putting TVs back until the transaction cleared. The alertstore clerk never asked for ID nor checked the signature for amatch nor even became suspicious of this behavior. Of course, thislittle fiasco didnt cost Dr. G. anything but a few phone calls. Theretailer ate the fraudulent charge.
But what about pure identity theft? Suppose someone wants to becomeme by assuming my name, my Social Security number, and my credithistory. There are two obvious ways around this little problem. Dr.G. uses method number one: Simply refuse to pay certain credit-cardbills. That way, your credit history is very unattractive and thusnot fair game for theft. Method number two also is very good.Change your name to one that would make a felon uncomfortable. Ifcriminals dont feel good about their new identity, they arent goingto use it. Lee Harvey Oswald is a good choice.

Readers are invited to send their questions to Dr. Gigabyte [email protected] for response in this column. Letters are forpurposes of exploring insurance IT issues only and may or may notbe contributed by any particular individual.