SQLServerCentral Editorial

What's Worse than Announcing a Data Breach?

,

What's Worse than Announcing a Data Breach? You might think that's the worst thing that you could tell your boss these days. Imagine discovering that sensitive data has been exposed and you need to go inform an executive. Hopefully no one is looking to punish the messenger, but it will still be a very uncomfortable conversation.

Now imagine that you need to go back and have a second discussion a day or two later. Why? More data was exposed, and potentially lost. I'm not sure which conversation is worse, though if you don't have a list of things you've checked, changed, or fixed between the two meetings, I would argue the second one is worse.

That happened to a mortgage loan company. The data breach was already bad, with an Elastisearch server out there without any security. Data had been converted from paper documents through an OCR process, which resulted in no shortage of mistakes, but there was still plenty of sensitive information out there. Things got worse when security researchers discovered the source of the OCR process was an Amazon S3 bucket that container the original images, also without a password.

Before I comment on anything else, there should be NO shares, buckets, containers, databases, or any sort of server without a password. None, nada, zip, zilch, no excuses. At least protect everything with a password that meets your organizations password requirements. No "12345" or "asdf" or default passwords. Before you do anything else, go set passwords. If you have S3 buckets or Azure storage, write a script to check them all. Set. A. Password. On. Everything.

We will all make mistakes in configuration, and there might be security issues at times. These ought to be rare, with today's vulnerabilities scanners, static code analysis, configuration as code, global policies, etc. There really isn't any excuse why we don't set things up at the beginning, but if things change and mistakes are made, we ought to detect them quickly. And then fix them. That's why we should use automation, configuration as code, and regular evaluation of our systems.

One of the greatest strengths of the DevOps philosophies is that we can deploy changes quickly to fix things. We'll make mistakes, we'll have issues, but when we find them, there is no long waiting period to get the fix into our client's hands. That ought to be true for both software and infrastructure.

Rate

You rated this post out of 5. Change rating

Share

Categories

Join the discussion and add your comment

Share

Rate

You rated this post out of 5. Change rating

Related content

SQLServerCentral Editorial

Mini-Me

Will the next version of Windows be a "Mini-Me" version of Vista? Who knows, and it's too early to tell, but apparently there's a mini-kernel version of Windows 7, the one after Vista, which fits into 25MB on disk. That's a touch lower than the 4GB that Vista takes up. Granted it's not a full […]

You rated this post out of 5. Change rating

2007-10-25

105 reads

SQLServerCentral Editorial

An Hour in Time

Daylight Savings time switches a little later this year. In fact it's November 4th this year, after having been in October for all of my life. In case you don't remember which way we move the clocks, here's a saying: Spring forward, fall back.

5 (1)

You rated this post out of 5. Change rating

2007-10-17

216 reads

SQLServerCentral Editorial

Software is Like Building a House

One of the really classic analogies in software is that it's like building a house. You have a foundation, multiple teams, lots of contractors that specialize in something, etc. And it's an analogy that's debated as to its relevance over and over. I won't go into the correctness of this analogy, but I wanted to comment on it.

You rated this post out of 5. Change rating

2012-10-08 (first published: )

331 reads