Risk
5/29/2007
01:18 PM
Connect Directly
RSS
E-Mail
50%
50%

Data Security: You're Not Learning From Others' Mistakes

As I was catching up on some e-mail last night, I came across a message that's become all too familiar to me. It was textbook: A company was apologizing that one of its laptops had been stolen and that the laptop contained customer account and credit card information. A real yawner, until I considered that this e-mail was delivered to my personal e-mail account and that it was my customer account and credit card info that may have been compromised. Companies just aren't getting the messag

As I was catching up on some e-mail last night, I came across a message that's become all too familiar to me. It was textbook: A company was apologizing that one of its laptops had been stolen and that the laptop contained customer account and credit card information. A real yawner, until I considered that this e-mail was delivered to my personal e-mail account and that it was my customer account and credit card info that may have been compromised. Companies just aren't getting the message about data security.Needless to say, the e-mail got me pretty pumped up last night. As soon as I saw that e-mail from Register.com with "Important information concerning your Register.com account" written in the subject line, my reaction was, "Uh, oh." I'd just renewed my account with Register for another year to host my personal Web site. It had acknowledged receiving payment. I shouldn't have been hearing from it again so soon.

My heart sank as I read the e-mail. It was written in language that's become so familiar to me as I've covered the security beat. The e-mail included phrases designed to assure me that 1) only a small percentage of customers would be affected, 2) that the data contained on the stolen laptop was password-protected and encrypted, 3) that the thief probably didn't even know the value of the information contained on the laptop, and 4) that affected customers were being offered free credit-monitoring services.

I quickly fired off an e-mail to Register to let the company know how displeased I was with it. That was done as someone who's used its Web hosting services for the past four years.

As a journalist, however, I just have to shake my head. Companies (Register is by no means alone in this) simply aren't learning from other people's mistakes. While last year's theft of a Veterans Affairs laptop was probably excruciating for the millions of veterans whose names and information were contained on that computer, it was a gift for everyone else. IT and security pros got to see up close how carelessness and poorly defined (and enforced) security procedures can cost an organization and cause lasting embarrassment and mistrust. Why would any sane person want to endure the grilling that VA Secretary James Nicholson went through last year?

Even the now-infamous breach into the systems at TJX Cos., the parent of T.J. Maxx, Marshalls, and other retailers, followed a well-established pattern. If the reports about someone using the wireless "wardriving" technique to poach data from a Marshalls wireless network are true, then TJX can't escape the fact that the Lowe's home improvement store chain was hit by an eerily similar 2003 attack against a Southfield, Mich., store. In the Lowe's case, cyberthieves gained unauthorized access to an unsecured Lowe's wireless network in an attempt to obtain credit card transaction data. They used the Wi-Fi network at the Lowe's store in Southfield to access the company's central data center at Lowe's North Carolina headquarters.

I've always found IT leaders to be well read and well informed. How come the same mistakes are being made over and over again?

Don't get me wrong, I fully understand just how difficult it is for management to keep an eye on every piece of IT equipment issued to their employees. Living in New York, I also understand that, even in the nicest neighborhoods, it's possible that someone will smash a window to your car or apartment and help themselves to something that's not theirs. But businesses should be smart enough by now to mitigate these obvious risks to their customer data.

And the answer isn't just encryption or passwords, it's making sure that each and every employee with access to customer data (or any other sensitive information) knows what they're allowed to do and not do with that information. After they've been educated, that's when the real work begins. It's not enough for employees to simply know the risks of compromised data; they have to understand their company's security policies and why they're in place, and make it their personal mission to protect the information with which they've been entrusted.

That's the only way things will get better.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.