LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Technology News: Mlware: 'H*** You H*ve' Exposes Internet Security's Achilles' Heel
From:	Hugh Smith <[log in to unmask]>
Reply To:	Records Management Program <[log in to unmask]>
Date:	Tue, 14 Sep 2010 12:58:14 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (55 lines)

On Sep 14, 2010, at 12:00 AM, RECMGMT-L automatic digest system wrote:

SNIP

> From: Jesse Wilkins <[log in to unmask]>
> Date: September 13, 2010 11:51:04 AM EDT
> Subject: Re: Technology News: M*lware: 'H**** You H*ve' Exposes Internet Security's Achilles' Heel
> 
> 
> At risk of opening a huge can of worms on a crisp Colorado Monday -
That's a pun!  I get it. 
> haven't there been some pretty high-profile cases of information being compromised
> through either a) paper records being inappropriately disposed of or b)
> tapes being transported unsecurely? Yet I don't remember any missives
> calling for mandatory onsite industrial shredders, prohibitions against all
> offsite storage, or eschewing tape storage. 

Jesse this is just an intellectual dialog for fun, as is my style........

>> a) paper records being inappropriately disposed of 
No one has written more posts about the destruction of vast volumes of paper documents due to a failure to treat these documents as something that is worthy of protection. I believe in this so much that I have served on the NFPA 232 Technical Committee for 10 years. For many in our industry, the fact that the records lost were "Other People's Records" made the story uninteresting.  But you cannot say I have not brought this up time and time again. Records need protection in all their formats.  The problem is the Cloud does not really see this data as records any more than the IT guys sees the back up tapes as records.  They are just disaster recovery devices. (You will argue, "that's right the Cloud is not records"  but they are. When you crash it, information is lost.)

>> b) tapes being transported unsecurely? 

If it were not for Larry and Peter, I could claim I lead the pack in reporting on losses of tapes in transport, and sabotage.  I am consistent, I speak to the loss of records in paper and media. The old timers here have seen the titles (knowledge managers, content managers, CIO's)  and technologies (data center in a box, VM Ware, Virtual this and virtual that, RAID) change but the problem is that the IT Industry has no respect for the underlying records content.

The offsite storage industry did see a problem with tape transportation and led the charge for encrypted tape. This made a lost tape an inconvenience not a disaster.  Storage of tapes in poor environmental conditions and unrated vaults was another issue that the offsite storage industry saw as a risk and now precise controls on temperature and humidity exist to prevent against spoliation. The vaults they use are media rated. That is why you do not see articles about millions of tapes being destroyed in fires or media found to be spoiled by improper storage.

Where are the articles about the computer industry moving to one platform and standardized migration plans and ultimate security? The concept of the Data Center in a Box which places data centers in steel boxes outside the building with no control of outside elements to the interior when they open the doors and on and on.  Speed, density, and cost are the gods of the IT Industry, security is just another inconvenience because it slows the release date.

Cloud is just the latest version to confront our industry. It is risky because the people running it can become vapors when the data is lost. How much data was lost in the current economic downturn?  Massive amounts.  No one underwrites these guys like the FDIC does banks. Data is sent into the Cloud of the cheapest provider just as paper documents were stored at the lowest bidder.

I can argue that the Apple Computer is much safer then Microsoft and others and you would reply, that is because no one is targeting the Apple because Microsoft is the dominant platform and you have a bigger impact there. Hence more attacks.  The Cloud is emerging technology.  As yet there is  not really enough there to really target like they will in the coming months as the business model grows. Anything on line is at risk. If you steal the passkey you are in. Protecting the password and the pass key are illusive goals. 

I think a discussion of risks is always in order.  I have been consistent in this regard.  I understand where you are coming from, do you understand why I take this approach?

Here is an example of why we need to look at the risks. We need to protect the paper, the microfilm, the xray, the LTO's and servers. I had a discussion with a radiologist about lost medical records. (It had to do with a fire that burned up linear miles of xrays.) If 100,000 women's mammograms are lost, 2000+ women die or suffer radical surgery. If other types of cancer lose their base line data, treatments are delayed and people die. The federal government has mandated ERM but the risks are unknown.  Storing data in the Cloud poses risks and the computer industry would have us ignore the risks to look at the cost savings. But the larger the target, the more people will target it.

The computer industry needs to refrain from using us for guinea pigs and bring out a reliable and secure product not these failed beta versions that are filled with flaws.

The shredding industry tells us Doctors offices and hospitals are the best place to find PII as every file has your SSN, Insurance number, address and every other fact about you. Identity theft made easy. The shredding industry has tried to protect us. The offsite storage industry has made huge strides in refining their model.  I do not see similar progress in the IT Industry.

I counsel RM's to use this same knowledge to gain backing for their program, to move more slowly into things no one has security tested and reveals to us time and again, that speed to market is more important than actually providing us security. In the end that is a poor bargain. If records managers do not speak up, who will? 

Hugh Smith
FIRELOCK Fireproof Modular Vaults
[log in to unmask]
(610)  756-4440    Fax (610)  756-4134
WWW.FIRELOCK.COM
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2

LISTSERV.IGGURU.US