Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

Lawsuits and Data Breaches Expand / Collapse
Author
Message
Posted Monday, February 24, 2014 8:30 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 11:43 AM
Points: 33,059, Visits: 15,172
Comments posted to this topic are about the item Lawsuits and Data Breaches






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1544753
Posted Tuesday, February 25, 2014 2:17 AM


Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Yesterday @ 11:08 AM
Points: 577, Visits: 2,502
I used to work closely with a security expert who installed an intrusion-detection system. Once it was in place, I was amazed how many attacks we faced, and how some were successful. It was the only way we got to know that they were successful too. It completely changed my way of thinking about security.
A lot of attacks seem to merely probes to determine weaknesses. Others, if successful, take effective control of the server, but in a way that is generally undetected, and this is only used later. Very few successful attacks result in your customer database being offered on a Russian website. You probably don't know when your network is successfully compromised.
You have to know about as many attempts at intrusion as possible and your applications and database need to be instrumented well enough to alert you to any possible intrusion. If you don't, then it is like having a castle or fort without any guards.
Database Security is a boring topic. Security presentations at PASS or SQL Saturday seldom run to packed houses, but it is one of the most important areas of knowledge that a developer and DBA can possess. I recommend Denny Cherry's book as a really good introduction to SQL Server security
My worst experience? When an employee with a crazy grudge (an affair with another employee) sold his SQL Server login to some bandits when he left the company. I should have changed it before, I know, but security isn't an exciting topic until you get hit.



Best wishes,

Phil Factor
Simple Talk
Post #1544803
Posted Tuesday, February 25, 2014 2:17 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 10:58 AM
Points: 5,173, Visits: 2,784
We should be doing the right things and be seen to be doing them. Except for a possible small number of exceptions, I would hazard a guess that the majority of hackers are either criminals or cyber-vandals. As such I would expect both groups to be more interested in easier targets (no pun intended). Criminals will want to maximise their gains from low risk/low effort activities whilst cyber-vandals are more likely to be interested in high profile results possibly without serious amounts of talent.

This is the classic scenario of not necessarily being able to make the situation impossible rather than make it difficult to a level that there are easier targets available.

Also by taking the appropriate steps then stakeholders should attain a level of reasonable confidence. It may also provide evidence that due diligence was performed in a more legal setting.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1544804
Posted Tuesday, February 25, 2014 2:21 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 10:58 AM
Points: 5,173, Visits: 2,784
Phil Factor (2/25/2014)
...A lot of attacks seem to merely probes to determine weaknesses. Others, if successful, take effective control of the server, but in a way that is generally undetected, and this is only used later. Very few successful attacks result in your customer database being offered on a Russian website. You probably don't know when your network is successfully compromised...

Sometimes our systems are just used as a launch pad for other attacks in order to preserve the attackers anonymity and provide an attack vector from a possibly legitimate source.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1544807
Posted Tuesday, February 25, 2014 6:13 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Monday, May 5, 2014 6:31 AM
Points: 291, Visits: 519
Gary Varga (2/25/2014)
Phil Factor (2/25/2014)
...A lot of attacks seem to merely probes to determine weaknesses. Others, if successful, take effective control of the server, but in a way that is generally undetected, and this is only used later. Very few successful attacks result in your customer database being offered on a Russian website. You probably don't know when your network is successfully compromised...

Sometimes our systems are just used as a launch pad for other attacks in order to preserve the attackers anonymity and provide an attack vector from a possibly legitimate source.


Many websites simply do not have the economic benefit for the hacker. Hack SSC and you get some passwords that are hopefully not used on other sites. Hack Target and you get millions of credit cards.

Post #1544867
Posted Tuesday, February 25, 2014 7:19 AM
Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: Today @ 7:01 AM
Points: 740, Visits: 1,892
Gary Varga (2/25/2014)
We should be doing the right things and be seen to be doing them. Except for a possible small number of exceptions, I would hazard a guess that the majority of hackers are either criminals or cyber-vandals. As such I would expect both groups to be more interested in easier targets (no pun intended). Criminals will want to maximise their gains from low risk/low effort activities whilst cyber-vandals are more likely to be interested in high profile results possibly without serious amounts of talent.

This is the classic scenario of not necessarily being able to make the situation impossible rather than make it difficult to a level that there are easier targets available.

Also by taking the appropriate steps then stakeholders should attain a level of reasonable confidence. It may also provide evidence that due diligence was performed in a more legal setting.


It does not appear that Target was that easy. They did not hit Target directly, they hit the third party card readers, gaining access through another third party (HVAC system maintenance). They used a RAM scraper to grab info during the short time while it was not (could not be) encrypted.

The point I see from this is that there are, and will ALWAYS be attack points that are outside of your control. To paraphrase the old STD public health warnings, it's not just your vendors and customers to worry about, but all of their vendors and customers as well.

I find it absurd, though, that the government is threatening more legal sanctions for security leaks when they can't even keep their own house in order (NSA anyone?)



...

-- FORTRAN manual for Xerox Computers --
Post #1544896
Posted Tuesday, February 25, 2014 8:11 AM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: Yesterday @ 2:28 PM
Points: 80, Visits: 294
I use to work for a company that was in the health care business. We had databases full of PII (Name, Address, SSN, DOB, Insurance Membership, etc.) and none of it was encrypted. It was also copied from PROD to QA to DEV and sent overseas to our India office.

I complained loud and long about how dangerous this was and how we need to secure this data. Finally the Directory of Security for my company called me into his office and basically read me the riot act and told me I need to shut up. They were aware of the issues and were working on them and that if the clients found out about this, we could lose business.

I started looking for a new position that afternoon. I still have friends who work there and now, almost 16 months later, nothing has changed.

And from what I understand from other friends, this is more the norm than the exception.

It blows my mind!
Post #1544956
Posted Tuesday, February 25, 2014 9:44 AM


SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Today @ 10:45 AM
Points: 193, Visits: 566
Steve Jones wrote:

We, and the businesses that employ us, should be incorporating analytics into our defenses to detect abnormal actions ...


Which seems to be what products from cyber security vendors like Aorato do.

[Disclaimer: I'm not associated with Aorato in any way. I did try getting our data security officer interested in Aorato's software, but he just sniffed and went about his business. Maybe he'll pay more attention when some big data breach happens here.]
Post #1545013
Posted Wednesday, February 26, 2014 1:36 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Yesterday @ 6:53 AM
Points: 2,889, Visits: 1,779
In theory in the UK the data protection registra can send the CEO of a company in breach of legislation to prison.

Having data without security is like driving without insurance.

You have to consider all of the following and more:-

  • Encrypting data in the database

  • Encrypting data in the backups

  • Data security in electronic transport. SSL certificates etc

  • What machines are allowed to talk to a DB server and if possible what processes

  • Data security in transport. Physical media, backup tapes, DVDs, USB

  • Separation of data with different security concerns

  • RACI matrix for who has access to what and at what level

  • RACI matrix for who has authority to specify access and to grant it

  • How security is monitored/audited

  • What business processes are in place for security breaches. This has to include escalating up the chain of command.

  • Business process for handling requests under the Freedom of Information Act or ICO requests

  • ...etc



In short there is a lot to think about with regard to security and as said earlier its not just doing it, its being seen to do it.


LinkedIn Profile
Newbie on www.simple-talk.com
Post #1545253
Posted Wednesday, February 26, 2014 2:03 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 10:58 AM
Points: 5,173, Visits: 2,784
At a recent client's (I do not want to identify them as this story is specific but I find it generally applicable) the development team were forced to update configuration files with security information (credentials etc.) of the production systems. This place, like many, totally understood that giving the developers of software details of the production environment was not a good practice and was against their own security rules (the term "in breach" was used). The team whose responsibility it was to deploy and configure software in all non-development environments refused to take up the configuration of a new system. The claim was that they did not have time to learn how to do it. It eventually got into production and the development team was still being emailed server names, security principal credentials, etc. I raised the concern that, although the individuals being given the details were completely trustworthy, a key security principle was being deliberately ignored.

I think that it will take at least one high profile case where senior members of staff are actually held to account by a court of law (instead of it being an empty threat) for any cultural change to occur. I think we need an Enron moment; we have the equivalent of Sarbanes-Oxley (regulation) but what we don't have is a precedent of punishment for non-compliance.

Don't get me wrong; I do not want to see people go to jail but I do want well known best practices applied and the employment of them actively supported by the appropriate management.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1545269
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse