Risk
5/29/2007
01:18 PM
50%
50%

Data Security: You're Not Learning From Others' Mistakes

As I was catching up on some e-mail last night, I came across a message that's become all too familiar to me. It was textbook: A company was apologizing that one of its laptops had been stolen and that the laptop contained customer account and credit card information. A real yawner, until I considered that this e-mail was delivered to my personal e-mail account and that it was my customer account and credit card info that may have been compromised. Companies just aren't getting the messag

As I was catching up on some e-mail last night, I came across a message that's become all too familiar to me. It was textbook: A company was apologizing that one of its laptops had been stolen and that the laptop contained customer account and credit card information. A real yawner, until I considered that this e-mail was delivered to my personal e-mail account and that it was my customer account and credit card info that may have been compromised. Companies just aren't getting the message about data security.Needless to say, the e-mail got me pretty pumped up last night. As soon as I saw that e-mail from Register.com with "Important information concerning your Register.com account" written in the subject line, my reaction was, "Uh, oh." I'd just renewed my account with Register for another year to host my personal Web site. It had acknowledged receiving payment. I shouldn't have been hearing from it again so soon.

My heart sank as I read the e-mail. It was written in language that's become so familiar to me as I've covered the security beat. The e-mail included phrases designed to assure me that 1) only a small percentage of customers would be affected, 2) that the data contained on the stolen laptop was password-protected and encrypted, 3) that the thief probably didn't even know the value of the information contained on the laptop, and 4) that affected customers were being offered free credit-monitoring services.

I quickly fired off an e-mail to Register to let the company know how displeased I was with it. That was done as someone who's used its Web hosting services for the past four years.

As a journalist, however, I just have to shake my head. Companies (Register is by no means alone in this) simply aren't learning from other people's mistakes. While last year's theft of a Veterans Affairs laptop was probably excruciating for the millions of veterans whose names and information were contained on that computer, it was a gift for everyone else. IT and security pros got to see up close how carelessness and poorly defined (and enforced) security procedures can cost an organization and cause lasting embarrassment and mistrust. Why would any sane person want to endure the grilling that VA Secretary James Nicholson went through last year?

Even the now-infamous breach into the systems at TJX Cos., the parent of T.J. Maxx, Marshalls, and other retailers, followed a well-established pattern. If the reports about someone using the wireless "wardriving" technique to poach data from a Marshalls wireless network are true, then TJX can't escape the fact that the Lowe's home improvement store chain was hit by an eerily similar 2003 attack against a Southfield, Mich., store. In the Lowe's case, cyberthieves gained unauthorized access to an unsecured Lowe's wireless network in an attempt to obtain credit card transaction data. They used the Wi-Fi network at the Lowe's store in Southfield to access the company's central data center at Lowe's North Carolina headquarters.

I've always found IT leaders to be well read and well informed. How come the same mistakes are being made over and over again?

Don't get me wrong, I fully understand just how difficult it is for management to keep an eye on every piece of IT equipment issued to their employees. Living in New York, I also understand that, even in the nicest neighborhoods, it's possible that someone will smash a window to your car or apartment and help themselves to something that's not theirs. But businesses should be smart enough by now to mitigate these obvious risks to their customer data.

And the answer isn't just encryption or passwords, it's making sure that each and every employee with access to customer data (or any other sensitive information) knows what they're allowed to do and not do with that information. After they've been educated, that's when the real work begins. It's not enough for employees to simply know the risks of compromised data; they have to understand their company's security policies and why they're in place, and make it their personal mission to protect the information with which they've been entrusted.

That's the only way things will get better.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.