Thursday, February 22, 2007

More Thoughts on the Stolen Seton Laptop

Tonight at dinner, I was thinking about that laptop that was stolen from Seton hospital last week.

Let’s assume for a second that the thief wasn't just after high priced hardware. Yes he stole a laptop and he can get money for it just as a simple laptop. But if you just wanted to steal a laptop, would you walk into a corporate building that is guarded with security officers, cameras and other security features. Maybe, but you could just hang out at a local coffeeshop and grab one...or walk around a parking lot and find a laptop sitting in the back of a car. Parking lots and coffeeshop have fewer cameras, are filled with people that aren’t thinking about physical security. They are easy targets and the chance of being caught in the long run is reduced.

So why chance breaking into a corporate office? I can think of a couple reasons.
  • The first type of thief is just after the easy money. They may have cased the joint and are pretty aware of the security measures in place. They have done their homework to reduce the risk of the attack, but they feel that the quality of the equipment outweighs the risk of the increased security. These types of attackers might check for easy data access but in the end, they just want to dump the equipment for the easy money.
  • The second type of thief is much scarier. They know that easier targets exist, but they aren’t just after the equipment. They are after what that equipment contains….the data. These types of attackers may have the skill to look deep into the computer and work to crack passwords. They aren’t just looking for personal data, they are looking for anything that could be sold on the black market or used to further pwn the target company - VPN keys, saved network passwords, text files that contains network device password, saved SSH passwords, outdated software on the computer that may have known vulnerabilities, etc. This type of information could allow the attacker to build a targeted attack in the near future and perhaps own the entire corporate network undetected.

While companies report on attackers of both types, IT security is worried about the second type more. The personal data is gone….that is done. But if they don’t force that user to change all their passwords right after the attack, they are putting their whole network at risk. And in the end that is more important to the security of the company than the names of 8000 people.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)