About Us | Contact Us
View Cart

Shredding: New and Old Risks

By Dan Hadaway | Saturday, December 10, 2011 - Leave a Comment

In these days of drill-down risk assessments on new technologies and issues ranging from mobile banking to customer awareness to social media to FILs and Supplements, I’m often asked: “Since we now have to track these risk assessment triggers do we need to continue the annual risk assessment?”

The answer is yes.

This can be illustrated by an interesting article my friend Joe Cychosz just liked on his Facebook page.

Elizabeth Montalbano of InformationWeek reports about a challenge held by the Defense Advanced Research Projects Agency (DARPA) to solve complex puzzles comprised of shredded documents.   Somebody rose to the challenge, and using math and computers, reconstructed five documents that had been shredded into 10,000 pieces.  They won $50,000.

In other words, shredding as a control just grew weaker.

Now I agree that the likelihood of somebody spending 600 hours manually trying out pattern combinations generated by complex computer programs on shredded documents stolen from your shred-company is very low.

But this article makes an interesting way to put out that:

1)    The controls we “declare” this year may not work as strong next year.  Bad guys learn ways around them.  Good guys forget about them.

2)    The likelihood of an attack this year may not be as low next year.  New attack methods can increase the likelihood of an attack.

3)    The value of a target (and thus the likelihood of an attack) can change over time.  If somebody can bottle the process up so that it only takes 20 hours to assemble the most likely permutations of shred pattern matches, it might be worth reassembling a report with a thousand names.  What was typically a worthless target (shreddings) may increase in value.

4)    Finally, the impact of an attack can change over time.  If a breach occurs today because somebody spent 600 hours reassembling a critical report, I don’t think it will hurt anybody reputationally.  It might even give them the ability to turn the situation into good press.  But ten years from now, you have to wonder if “algorhythm proof shredders” will be a high-risk issue on everybody’s audit checklists.

So yes, we need to dust off the “All-encompassing Ever-Growing Information Technology Risk Assessment” every year, taking a quick look at all asset-vulnerability pairs that were deemed “moderate/low” last year.

——————————————-——————————————————————–————————-

Dan Hadaway CRISC, CISA, CISM
Founder and President, Infotex

——————————————-——————————————————————–————————-

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”


 

 

Latest News
    A new study highlights the benefits of looking at your network from the other side… An article review. If you were trying to attack your organization’s network, how would you start?  That’s a question you may not have asked yourself, but experts say it’s something that can help you strengthen your security.  That’s according to […]
    Google Ads, Gitlab and OneDrive have been used to distribute the BATLOADER malware… An article review. We’ve always believed that “watch where you click” has always been good advice when it comes to security online, however Microsoft is tracking the spread of malware that has been using legitimate websites to help facilitate its spread, counting […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    Thanks for being interested in our Technology Planning Webinars! The 2022 annual webinar update on technology planning includes a review of the previous years’ movies that are available, as well as alternative tactics that have arisen from recent conferences, forums, and industry experience. Feel free to invite your entire technology committee! Click the Button to […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    Microsoft, Cisco and Uber are among the companies hit by this new threat… An article review.  As more organizations adopt multi-factor authentication to help safeguard their systems hackers have adapted, and several major corporations have been among those hit by this new style of attack.  This new technique, called MFA Fatigue or Push Spamming, involves […]
    A Webinar Movie This presentation is intended for those who are planning to participate in an infotex incident response test. Please let us know what questions you have, when we have our Plan Walkthrough and Test Plan Approval meeting!
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]