When managing editor Brett Callow offered me the chance to interview Mr. Dembin, I of course jumped at the opportunity. My excitement then turned to the realization that I needed to come up with some excellent questions. An opportunity like this doesn't come along very often. This is a man that Microsoft went to for information security advice. A man trusted by our government to prosecute cyber criminals. Given Mr. Dembin's extensive background and experience in the field, the answers he gives are not only insightful but extremely well informed. Enjoy.
BH: In your estimation, what are currently the top three information security threats to small businesses?
MD: A. Disgruntled or sociopathic insiders and recently separated employees with trusted access.
B. Poor information security policies and practices. For example:
i. Poor password policies.
ii. No use of multifactor authentication
iii. Overuse of administrative authority
iv. Failure to segment network (not everyone needs access to everything)
v. Poor implementation of remote and/or wireless access
vi. Poor backup policies and procedures
vii. I know, I am cheating, you said just 3, so just leave it at b!
C. Mishandling of personally identifiable information.
BH: Does the Department of Justice regulate the information security of ISP (Internet Service Providers) or is that the responsibility of the FCC or other government agencies? Is this regulated at all?
MD: ISPs are unregulated. (BH Note: Shocked? Me too! I'll be doing a follow-up Q&A so stay tuned.)
BH: With more and more companies moving their businesses to the internet, has the rate of cyber crimes (specifically credit card fraud and identity theft) increased?
MD: It does appear that the rate of financially motivated cyber crimes has increased. I cannot say that this is the result of more businesses moving to the Internet or just a recognition by a maturing group of criminals that there is money to made by farming identities.
BH: There seems to be a consistent buzz about mobile devices and mobile computing within the technology world over the past few years. Has the Department of Justice seen an increase in crimes committed with the use of mobile devices?
MD: We have seen the use of unsecured wireless access points by criminals to make it harder for us to identify them. I have not seen the increased use of mobile devices to commit crime (unless you count laptops, but I think you mean things like smart phones and PDAs).
BH: If an angry customer or disgruntled employee is successful in committing a denial of service attack (or some other type of service interruption) against a small business, what kind of charges can be filed against that person?
MD: Prior to the passage of a new law making certain cybercrimes easier to prosecute, we would likely charge a violation of 18 USC 1030(a)(5)(A)(i) provided that it cost the victim more than $5,000 in losses or recovery costs. Since the signing of a new federal law yesterday, we can charge the statute without the $5,000 requirement if more than 10 computers were affected. Typically, however, the disgruntled person does not DDoS since many firms have their web presence at a host who deals with the attack. The attack usually involves damaging data or stealing information.
Stay tuned for Part 2!