Risk
5/29/2007
01:18 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Data Security: You're Not Learning From Others' Mistakes

As I was catching up on some e-mail last night, I came across a message that's become all too familiar to me. It was textbook: A company was apologizing that one of its laptops had been stolen and that the laptop contained customer account and credit card information. A real yawner, until I considered that this e-mail was delivered to my personal e-mail account and that it was my customer account and credit card info that may have been compromised. Companies just aren't getting the messag

As I was catching up on some e-mail last night, I came across a message that's become all too familiar to me. It was textbook: A company was apologizing that one of its laptops had been stolen and that the laptop contained customer account and credit card information. A real yawner, until I considered that this e-mail was delivered to my personal e-mail account and that it was my customer account and credit card info that may have been compromised. Companies just aren't getting the message about data security.Needless to say, the e-mail got me pretty pumped up last night. As soon as I saw that e-mail from Register.com with "Important information concerning your Register.com account" written in the subject line, my reaction was, "Uh, oh." I'd just renewed my account with Register for another year to host my personal Web site. It had acknowledged receiving payment. I shouldn't have been hearing from it again so soon.

My heart sank as I read the e-mail. It was written in language that's become so familiar to me as I've covered the security beat. The e-mail included phrases designed to assure me that 1) only a small percentage of customers would be affected, 2) that the data contained on the stolen laptop was password-protected and encrypted, 3) that the thief probably didn't even know the value of the information contained on the laptop, and 4) that affected customers were being offered free credit-monitoring services.

I quickly fired off an e-mail to Register to let the company know how displeased I was with it. That was done as someone who's used its Web hosting services for the past four years.

As a journalist, however, I just have to shake my head. Companies (Register is by no means alone in this) simply aren't learning from other people's mistakes. While last year's theft of a Veterans Affairs laptop was probably excruciating for the millions of veterans whose names and information were contained on that computer, it was a gift for everyone else. IT and security pros got to see up close how carelessness and poorly defined (and enforced) security procedures can cost an organization and cause lasting embarrassment and mistrust. Why would any sane person want to endure the grilling that VA Secretary James Nicholson went through last year?

Even the now-infamous breach into the systems at TJX Cos., the parent of T.J. Maxx, Marshalls, and other retailers, followed a well-established pattern. If the reports about someone using the wireless "wardriving" technique to poach data from a Marshalls wireless network are true, then TJX can't escape the fact that the Lowe's home improvement store chain was hit by an eerily similar 2003 attack against a Southfield, Mich., store. In the Lowe's case, cyberthieves gained unauthorized access to an unsecured Lowe's wireless network in an attempt to obtain credit card transaction data. They used the Wi-Fi network at the Lowe's store in Southfield to access the company's central data center at Lowe's North Carolina headquarters.

I've always found IT leaders to be well read and well informed. How come the same mistakes are being made over and over again?

Don't get me wrong, I fully understand just how difficult it is for management to keep an eye on every piece of IT equipment issued to their employees. Living in New York, I also understand that, even in the nicest neighborhoods, it's possible that someone will smash a window to your car or apartment and help themselves to something that's not theirs. But businesses should be smart enough by now to mitigate these obvious risks to their customer data.

And the answer isn't just encryption or passwords, it's making sure that each and every employee with access to customer data (or any other sensitive information) knows what they're allowed to do and not do with that information. After they've been educated, that's when the real work begins. It's not enough for employees to simply know the risks of compromised data; they have to understand their company's security policies and why they're in place, and make it their personal mission to protect the information with which they've been entrusted.

That's the only way things will get better.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web