The CSI/FBI have a famous report released annually called the “Computer Crime and Security Survey”. I was surprised to read today that the FBI also has a lesser-known report called the “Computer Crime Survey”.

The difference is supposedly in the method of gathering data, although it’s not clear that either survey is truly scientific. The larger survey is done with a select group of respondants and has a huge number of paper-based questions (I’ve filled it out at least twice), whereas this “Computer Crime only, hold the Security” survey “was taken by 2,066 organizations in Iowa, Nebraska, New York, and Texas”.

The findings are not particularly surprising, and I actually could spend some time trying to debunk the article’s title “FBI says attacks succeeding despite security investments”, but instead I just want to bring attention to the part of the report I found insightful:

While some individual law enforcement officers are not trained to respond to computer security incidents, local, state, and federal law enforcement agencies have become increasingly equipped to both investigate and assist in the prosecution of such violations. Computer related crime is the third-highest priority in the FBI, above public corruption, civil rights, organized crime, white collar crime, major theft and violent crime.

Not hard to find out what the top two priories are:
1. Protect the United States from terrorist attack.
2. Protect the United States against foreign intelligence operations and espionage.

So there you have it. If you are in the US and believe you are a victim of “cyber-based attacks and high-technology crimes”, contact the FBI.

International law enforcement has been working on Operation Ore since 2003, when investigators uncovered an Internet child porn business in Texas with over 250,000 customer records. The Guardian reported today that one of the worst cases so far has concluded with two people going to jail.

It’s a terrifying story, but at the core is the ability of police to process data quickly to follow leads and catch criminals before they can harm innocent children. If this threat is not mitigated fast enough by the police to bring the risk levels down, parents will not have much choice beyond demanding some form of official validation/certification from anyone who claims that they should be trusted with a child’s safety.

Apparently a hotel in Brighton didn’t get the memo: identity information is an asset to your customers and needs to be treated as such.

Stories like the one in today’s Guardian are a security practitioner’s worst nightmare. We spend countless weeks and months trying to increase awareness about how to identify and protect assets, and then find out that someone has dumped the crown jewels into a dumpster like a bunch of old laundry. One man’s garbage…

Brighton residents walking past the city centre hotel last Thursday night were amazed to see a skip full of registration cards of guests who stayed at the hotel between 1998 and 2000. Each one lists the name, company, home address and credit card number in full. Most include a home phone number, and in the case of some foreign guests, passport numbers. After sitting in the street for 24 hours, open to any passerby, the skip was removed by a local company, Skip-it.

This coincides with the hotel’s new policy to place all of their cash in the street for convenient next-day pickup by a local company, Bag-it.

Seriously though, this hotel is begging for a thorough risk assessment. I can’t tell you how many times I have sat and watched loading docks and garbage services expose assets and then go on lunch break, leave for the night, etc.. You just have to talk to a few staff or observe the “failure to follow process” to know that a proper control/risk ratio is in need of serious attention.