SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


A Good Security Response


A Good Security Response

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)

Group: Administrators
Points: 63226 Visits: 19115
Comments posted to this topic are about the item A Good Security Response

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Jim P.
Jim P.
SSC Eights!
SSC Eights! (915 reputation)SSC Eights! (915 reputation)SSC Eights! (915 reputation)SSC Eights! (915 reputation)SSC Eights! (915 reputation)SSC Eights! (915 reputation)SSC Eights! (915 reputation)SSC Eights! (915 reputation)

Group: General Forum Members
Points: 915 Visits: 2215
I worked for a bank for a number of years. We were very good about shredding everything, to the point that if any quantity of paper was found in the trash, the housekeeping staff would note the desk/name it was found at and drop the bag off at the Security Officer's desk for review. (There were a few write-ups, usually only once, on some to the staff.)

Ironically, the only large "breach" we had was when we had FDIC auditors in and one their laptops was stolen from the hotel room. There were 453 customer's financial details on the laptop. It was presumed stolen for the hardware, not the data.

We had to supply the customers with credit monitoring for a year along with prompt notification.

After that, I make it a point to build a shred pile on my desk (I print less than 50 pages a month generally), delete old data after a month, and occasionally run a wipedisk on the blank sectors of my drive. I do my troubleshooting of customer data on servers setup for the purpose.

I know -- tangential and paranoid -- but I don't want my butt fired for it. How many companies provide lunch three days a week. Cool



----------------
Jim P.

A little bit of this and a little byte of that can cause bloatware.
batgirl
batgirl
SSCommitted
SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)

Group: General Forum Members
Points: 1709 Visits: 1820
My husband's employer (state government) had a piece of media containing employee data misplaced - we were notified immediately and given three years of credit protection.
Ralph Hightower
Ralph Hightower
Mr or Mrs. 500
Mr or Mrs. 500 (535 reputation)Mr or Mrs. 500 (535 reputation)Mr or Mrs. 500 (535 reputation)Mr or Mrs. 500 (535 reputation)Mr or Mrs. 500 (535 reputation)Mr or Mrs. 500 (535 reputation)Mr or Mrs. 500 (535 reputation)Mr or Mrs. 500 (535 reputation)

Group: General Forum Members
Points: 535 Visits: 1111
batgirl (3/26/2013)
My husband's employer (state government) had a piece of media containing employee data misplaced - we were notified immediately and given three years of credit protection.


Three years of credit protection. That's better than my state. 6 million Social Security Numbers were stolen from the state's tax department and all we got was a year of credit monitoring; they haven't notified us if our bank account information was also stolen.
ken.trock
ken.trock
SSChasing Mays
SSChasing Mays (645 reputation)SSChasing Mays (645 reputation)SSChasing Mays (645 reputation)SSChasing Mays (645 reputation)SSChasing Mays (645 reputation)SSChasing Mays (645 reputation)SSChasing Mays (645 reputation)SSChasing Mays (645 reputation)

Group: General Forum Members
Points: 645 Visits: 1730
I belong to something like 40 websites; financial, gaming, social networking, community (like this one). I use a password vault for most of these which makes it a little easier to vary my passwords without having to remember each one. But on the net we're constantly faced with the same tradeoff between convenience and tighter security.

Ken
Nadrek
Nadrek
SSCommitted
SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)

Group: General Forum Members
Points: 1913 Visits: 2729
First, Evernote's customer service response was indeed excellent! Not only owning up to the breach, but also forcing a password reset is good. Forcing a password reset with an upgraded password storage mechanism and better rules and checks for bad passwords is even better!

As far as companies not wanting to admit to a breach, even in unregulated industries without legal penalties, there are only four major choices:
1) Own up to it quickly. Customers will be upset, yes, but you will set the tone of the annoucement, and be able to start out by saying "We've fixed the issue already, but recently...". Like Evernote, if you can get users to change their passwords before the list is leaked to the public, you'll have less upset customers - unhappy, but not as unhappy.

2) See someone else post your password (hash) list publicly, very likely followed by security analysts, blogs, and news media (in large breaches, like the 50 million password Evernote one here, or Sony's recently) putting out stories before you can respond. In this case, you're very likely scrambling to respond, and may have increased civil (or criminal, depending) liability.

3) Hope you were hit by an honest extortion racket who will actually destroy the list if you pay them.

4) Something else.

Password lists do get posted publicly, used in competitions, analyzed for patterns, and so on, and they typically will be linked to who they were stolen from by customers recognizing their own password, by the password content, and so on. Once someone else has your password hashes, they can control the publicity if you don't get there first.
TravisDBA
TravisDBA
SSCrazy
SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)

Group: General Forum Members
Points: 2002 Visits: 3069
"Recently Evernote had a security breach and they forced all users to reset their passwords."


Of course, this assumes that you have a user community that even knows how to do this. We required a password reset about a year or so ago on on just two hundred users on just a particular application once, not an enterprise wide password reset involving thousands of users. It took over three weeks to get it done with massive assistance from the help desk, and sometimes people not getting it right three to five times of doing it (thus locking out their accounts), and then forgetting the password they reset it to just days later!!! Granted, this should be a walk in the park for most of us. But what you are forgetting here (and most of our management did as well) is how many users there are out there that have trouble just managing the CTRL-ALT-DEL key combination!! I am not kidding either guys, it was a major oversight and assumption on managment's part.. You can't assume anything when it comes to most end-users. When it comes to any solution to problems such as security breaches, or any other problems for that matter, the user community is not my first go to solution.:-D

"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search