| Search
|
|
Blogland
|
|
|
|
Location: Blogs Messages from Blogland |
 |
| Posted by: host |
3/31/2008 6:41 AM |
I recently attended a presentation on the subject of identity theft and what steps can be taken to protect yourself. This presentation was primarily from the non-technical side of the issue discussing aspects such as dealing with junk mail and documents that contain sensitive information, careful consideration of disclosure of personal information as well as what to do if you find yourself a victim of this crime.
The information was presented by an Indiana State Police Officer who often works cases of identity theft. It was interesting to hear about how the mind of an identity thief works and I was surprised to learn how organized and aggressive they are.
The session caused me to think about my own habits and to make some efforts to modify how I handle sensitive data about myself and my family. Also, I thought a lot about my threat modeling recommendations and how this practice becomes even more critical in light of this information.
While this presentation focused on the non-technical side of the issue, my thoughts naturally amended to the information provided with my own experience and knowledge of the database world. There is so much that is not understood by those who store this sensitive information in databases. The very definition of sensitive information is not clear in some cases. Yes, we know that social security numbers and credit card numbers are sensitive data; but the date of birth is also sensitive. Identity thieves are willing to take the slightest piece of information to help obtain additional data elsewhere.
This topic of identity theft really presents another aspect of the database security dialogue. Often the dialogue focuses on the integrity and accuracy of the data stored within databases. At times the aspect of unauthorized disclosure is spoken; but identity theft can occur when authorized disclosure occurs. The very concept of to why store certain data at all or implementing cryptography, if it must be stored, is often not given the length of discussion it deserves.
The mantra of database development is “all data input is evil unless proven otherwise” could be amended to include “all data is sensitive and all data readers are evil unless proven otherwise”. While this may seem harsh the truth is that you never know what the intentions of those who access data, especially sensitive data, could be.
In future blog entries I will be writing in more detail regarding some database design concepts that address this subject.
|
|
| Permalink |
Trackback |
|
|
|
|
|
|
|
|
|