Risk
5/29/2007
01:18 PM
Connect Directly
RSS
E-Mail
50%
50%

Data Security: You're Not Learning From Others' Mistakes

As I was catching up on some e-mail last night, I came across a message that's become all too familiar to me. It was textbook: A company was apologizing that one of its laptops had been stolen and that the laptop contained customer account and credit card information. A real yawner, until I considered that this e-mail was delivered to my personal e-mail account and that it was my customer account and credit card info that may have been compromised. Companies just aren't getting the messag

As I was catching up on some e-mail last night, I came across a message that's become all too familiar to me. It was textbook: A company was apologizing that one of its laptops had been stolen and that the laptop contained customer account and credit card information. A real yawner, until I considered that this e-mail was delivered to my personal e-mail account and that it was my customer account and credit card info that may have been compromised. Companies just aren't getting the message about data security.Needless to say, the e-mail got me pretty pumped up last night. As soon as I saw that e-mail from Register.com with "Important information concerning your Register.com account" written in the subject line, my reaction was, "Uh, oh." I'd just renewed my account with Register for another year to host my personal Web site. It had acknowledged receiving payment. I shouldn't have been hearing from it again so soon.

My heart sank as I read the e-mail. It was written in language that's become so familiar to me as I've covered the security beat. The e-mail included phrases designed to assure me that 1) only a small percentage of customers would be affected, 2) that the data contained on the stolen laptop was password-protected and encrypted, 3) that the thief probably didn't even know the value of the information contained on the laptop, and 4) that affected customers were being offered free credit-monitoring services.

I quickly fired off an e-mail to Register to let the company know how displeased I was with it. That was done as someone who's used its Web hosting services for the past four years.

As a journalist, however, I just have to shake my head. Companies (Register is by no means alone in this) simply aren't learning from other people's mistakes. While last year's theft of a Veterans Affairs laptop was probably excruciating for the millions of veterans whose names and information were contained on that computer, it was a gift for everyone else. IT and security pros got to see up close how carelessness and poorly defined (and enforced) security procedures can cost an organization and cause lasting embarrassment and mistrust. Why would any sane person want to endure the grilling that VA Secretary James Nicholson went through last year?

Even the now-infamous breach into the systems at TJX Cos., the parent of T.J. Maxx, Marshalls, and other retailers, followed a well-established pattern. If the reports about someone using the wireless "wardriving" technique to poach data from a Marshalls wireless network are true, then TJX can't escape the fact that the Lowe's home improvement store chain was hit by an eerily similar 2003 attack against a Southfield, Mich., store. In the Lowe's case, cyberthieves gained unauthorized access to an unsecured Lowe's wireless network in an attempt to obtain credit card transaction data. They used the Wi-Fi network at the Lowe's store in Southfield to access the company's central data center at Lowe's North Carolina headquarters.

I've always found IT leaders to be well read and well informed. How come the same mistakes are being made over and over again?

Don't get me wrong, I fully understand just how difficult it is for management to keep an eye on every piece of IT equipment issued to their employees. Living in New York, I also understand that, even in the nicest neighborhoods, it's possible that someone will smash a window to your car or apartment and help themselves to something that's not theirs. But businesses should be smart enough by now to mitigate these obvious risks to their customer data.

And the answer isn't just encryption or passwords, it's making sure that each and every employee with access to customer data (or any other sensitive information) knows what they're allowed to do and not do with that information. After they've been educated, that's when the real work begins. It's not enough for employees to simply know the risks of compromised data; they have to understand their company's security policies and why they're in place, and make it their personal mission to protect the information with which they've been entrusted.

That's the only way things will get better.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6856
Published: 2014-10-02
The AHRAH (aka com.vet2pet.aid219426) application 219426 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6857
Published: 2014-10-02
The Car Wallpapers HD (aka com.arab4x4.gallery.app) application 1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6858
Published: 2014-10-02
The Mostafa Shemeas (aka com.mostafa.shemeas.website) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6859
Published: 2014-10-02
The Daum Maps - Subway (aka net.daum.android.map) application 3.9.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6860
Published: 2014-10-02
The Trial Tracker (aka com.etcweb.android.trial_tracker) application 1.1.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.