Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

A Good Security Response Expand / Collapse
Author
Message
Posted Monday, March 25, 2013 9:28 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 12:08 PM
Points: 33,099, Visits: 15,206
Comments posted to this topic are about the item A Good Security Response






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1435244
Posted Monday, March 25, 2013 9:42 PM


SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Today @ 10:52 AM
Points: 617, Visits: 2,072
I worked for a bank for a number of years. We were very good about shredding everything, to the point that if any quantity of paper was found in the trash, the housekeeping staff would note the desk/name it was found at and drop the bag off at the Security Officer's desk for review. (There were a few write-ups, usually only once, on some to the staff.)

Ironically, the only large "breach" we had was when we had FDIC auditors in and one their laptops was stolen from the hotel room. There were 453 customer's financial details on the laptop. It was presumed stolen for the hardware, not the data.

We had to supply the customers with credit monitoring for a year along with prompt notification.

After that, I make it a point to build a shred pile on my desk (I print less than 50 pages a month generally), delete old data after a month, and occasionally run a wipedisk on the blank sectors of my drive. I do my troubleshooting of customer data on servers setup for the purpose.

I know -- tangential and paranoid -- but I don't want my butt fired for it. How many companies provide lunch three days a week.




----------------
Jim P.

A little bit of this and a little byte of that can cause bloatware.
Post #1435246
Posted Tuesday, March 26, 2013 5:47 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Today @ 5:40 AM
Points: 1,344, Visits: 1,516
My husband's employer (state government) had a piece of media containing employee data misplaced - we were notified immediately and given three years of credit protection.
Post #1435403
Posted Tuesday, March 26, 2013 7:05 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Friday, July 11, 2014 7:13 AM
Points: 375, Visits: 596
batgirl (3/26/2013)
My husband's employer (state government) had a piece of media containing employee data misplaced - we were notified immediately and given three years of credit protection.


Three years of credit protection. That's better than my state. 6 million Social Security Numbers were stolen from the state's tax department and all we got was a year of credit monitoring; they haven't notified us if our bank account information was also stolen.
Post #1435456
Posted Tuesday, March 26, 2013 10:40 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Monday, July 14, 2014 1:19 PM
Points: 323, Visits: 1,456
I belong to something like 40 websites; financial, gaming, social networking, community (like this one). I use a password vault for most of these which makes it a little easier to vary my passwords without having to remember each one. But on the net we're constantly faced with the same tradeoff between convenience and tighter security.

Ken
Post #1435612
Posted Tuesday, March 26, 2013 10:50 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Yesterday @ 8:10 AM
Points: 861, Visits: 2,360
First, Evernote's customer service response was indeed excellent! Not only owning up to the breach, but also forcing a password reset is good. Forcing a password reset with an upgraded password storage mechanism and better rules and checks for bad passwords is even better!

As far as companies not wanting to admit to a breach, even in unregulated industries without legal penalties, there are only four major choices:
1) Own up to it quickly. Customers will be upset, yes, but you will set the tone of the annoucement, and be able to start out by saying "We've fixed the issue already, but recently...". Like Evernote, if you can get users to change their passwords before the list is leaked to the public, you'll have less upset customers - unhappy, but not as unhappy.

2) See someone else post your password (hash) list publicly, very likely followed by security analysts, blogs, and news media (in large breaches, like the 50 million password Evernote one here, or Sony's recently) putting out stories before you can respond. In this case, you're very likely scrambling to respond, and may have increased civil (or criminal, depending) liability.

3) Hope you were hit by an honest extortion racket who will actually destroy the list if you pay them.

4) Something else.

Password lists do get posted publicly, used in competitions, analyzed for patterns, and so on, and they typically will be linked to who they were stolen from by customers recognizing their own password, by the password content, and so on. Once someone else has your password hashes, they can control the publicity if you don't get there first.
Post #1435618
Posted Tuesday, March 26, 2013 10:53 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Thursday, March 6, 2014 1:05 PM
Points: 1,334, Visits: 3,068
"Recently Evernote had a security breach and they forced all users to reset their passwords."


Of course, this assumes that you have a user community that even knows how to do this. We required a password reset about a year or so ago on on just two hundred users on just a particular application once, not an enterprise wide password reset involving thousands of users. It took over three weeks to get it done with massive assistance from the help desk, and sometimes people not getting it right three to five times of doing it (thus locking out their accounts), and then forgetting the password they reset it to just days later!!! Granted, this should be a walk in the park for most of us. But what you are forgetting here (and most of our management did as well) is how many users there are out there that have trouble just managing the CTRL-ALT-DEL key combination!! I am not kidding either guys, it was a major oversight and assumption on managment's part.. You can't assume anything when it comes to most end-users. When it comes to any solution to problems such as security breaches, or any other problems for that matter, the user community is not my first go to solution.


"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ..."
Post #1435620
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse