to the big man himself for passing the HCISSP exam on the first try! Liticode considers the HCISSP a necessary standard for working on HIPAA and hospital security and litigation consulting. No cert is too much of a reach for our valued clients.
Should organizations require and validate a government issued form of identification before granting network access? It’s easy enough to do. Costs a bit for the comparison books and an hour of training, but it will catch the majority of bad identification. Of course, what to do with it after you’ve caught it…
But how much bad identification, as opposed to high quality forgeries, is seen in any business? No data.
More importantly, as has been pointed out by some bright people in the industry, the secretary is not a security guard, and the security guard is not a security professional. Some small percentage of false identification is going to result in violence. Better the guard than the HR representative.
Regardless of whom, outside of the government, nobody without a Treasury department background is going to catch the good forgeries. So we can at best reduce a risk, but not eliminate it.
Given the possibility of violent confrontations, would a business be better served by a validation after the fact? It depends on the business, but in general, giving network access to the bad guys for any amount of time is a bad idea.
How do you test effectiveness when the mere act of copying a form of identification can be a Federal crime?
It makes perfect sense, wanting to identify persons with access to the network, but the process does not make perfect sense. In the meantime, businesses will go on accepting fake identification and getting taken by fake ID holders.
Recently we received a notice from our one ISP that one of our machines might be infected, and please clean it up or we’d be shut down. Well, we explained the situation to them, and it’s good to know someone’s watching our traffic (It’s 1984?), but we’ve been doing this for nearly six years from this location. And they only just now noticed? We’ve run huge attacks against large customers, it’s our business after all, for six years, and they only just now noticed we “might” have an infected computer? Sort of makes you wonder. What about all the other domains we traverse, like Sprint and AT&T? Are they going to start sending us hate mail? What happens if they start dumping the packets? We’ll have to find another ISP, I suppose, but eventually, if things went that way, the core would be filtering as well, and nothing would work. We’d practically be out of business. Ironically, the bad guys wouldn’t. Because the bad guys would just invent new ways to circumvent the security. Which would let us stay in business as well; we’d just need a new toolset. So if nothing’s going to really change, can we establish right now that filtering anything is a really bad idea, except during attacks? Because all it’s going to do is raise the price tags on security. You have to pay for the filters, you have to pay for the new security to counter the new threats. While standing still doesn’t prevent new threats from becoming a reality, it does allow us lots of ways of tracking people. They may have a new attack, but they probed on high ports first, which might let us locate them. Or at least shut them off from here. But don’t restrict traffic in the middle. It’s like putting a stop sign in the middle of the Atlantic. All you do is make shipping more expensive and annoy some little fish. So keep it open. Please.
Some Seattle criminals were apparently hacking wifi to help them locate business servers with identity information and then breaking in and stealing the servers. This is a perfect example of why physical security risks should be checked along with any electronic security validation. Penetration testing needs to be both physical and electronic, because sometimes it’s just easier to walk away with the equipment than it is to hack in and steal the data.