Tuesday, March 01, 2005

Schneier on Security: Choicepoint's CISO Speaks

Bruce Schneier has some interesting comments flowing from an interview with the CISO of ChoicePoint that appeared in SearchSecurity.com:

Schneier on Security: Choicepoint's CISO Speaks: "Choicepoint's CISO Speaks Richard Baich, Choicepoint's CISO, is interviewed on SearchSecurity.com:
This is not an information security issue. My biggest concern is the impact this has on the industry from the standpoint that people are saying ChoicePoint was hacked. No we weren't. This type of fraud happens every day.

Nice spin job, but it just doesn't make sense. This isn't a computer hack in the traditional sense, but it's a social engineering hack of their system. Information security controls were compromised, and confidential information was leaked.

It's created a media frenzy; this has been mislabeled a hack and a security breach. That's such a negative impression that suggests we failed to provide adequate protection. Fraud happens every day. Hacks don't.

So, Choicepoint believes that providing adequate protection doesn't include preventing this kind of attack. I'm sure he's exaggerating when he says that 'this type of fraud happens every day' and 'frauds happens every day,' but if it's true then Choicepoint has a huge information security problem."

The article and interview are worth reading on their own, as well.

No comments: