SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


A Good Security Response


A Good Security Response

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (282K reputation)SSC Guru (282K reputation)SSC Guru (282K reputation)SSC Guru (282K reputation)SSC Guru (282K reputation)SSC Guru (282K reputation)SSC Guru (282K reputation)SSC Guru (282K reputation)

Group: Administrators
Points: 282288 Visits: 19908
Comments posted to this topic are about the item A Good Security Response

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Jim P.
Jim P.
Hall of Fame
Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)

Group: General Forum Members
Points: 3151 Visits: 2215
I worked for a bank for a number of years. We were very good about shredding everything, to the point that if any quantity of paper was found in the trash, the housekeeping staff would note the desk/name it was found at and drop the bag off at the Security Officer's desk for review. (There were a few write-ups, usually only once, on some to the staff.)

Ironically, the only large "breach" we had was when we had FDIC auditors in and one their laptops was stolen from the hotel room. There were 453 customer's financial details on the laptop. It was presumed stolen for the hardware, not the data.

We had to supply the customers with credit monitoring for a year along with prompt notification.

After that, I make it a point to build a shred pile on my desk (I print less than 50 pages a month generally), delete old data after a month, and occasionally run a wipedisk on the blank sectors of my drive. I do my troubleshooting of customer data on servers setup for the purpose.

I know -- tangential and paranoid -- but I don't want my butt fired for it. How many companies provide lunch three days a week. Cool



----------------
Jim P.

A little bit of this and a little byte of that can cause bloatware.
batgirl
batgirl
SSCrazy
SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)

Group: General Forum Members
Points: 2951 Visits: 1820
My husband's employer (state government) had a piece of media containing employee data misplaced - we were notified immediately and given three years of credit protection.
Ralph Hightower
Ralph Hightower
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1205 Visits: 1218
batgirl (3/26/2013)
My husband's employer (state government) had a piece of media containing employee data misplaced - we were notified immediately and given three years of credit protection.


Three years of credit protection. That's better than my state. 6 million Social Security Numbers were stolen from the state's tax department and all we got was a year of credit monitoring; they haven't notified us if our bank account information was also stolen.
ken.trock
ken.trock
SSCrazy
SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)

Group: General Forum Members
Points: 2384 Visits: 1736
I belong to something like 40 websites; financial, gaming, social networking, community (like this one). I use a password vault for most of these which makes it a little easier to vary my passwords without having to remember each one. But on the net we're constantly faced with the same tradeoff between convenience and tighter security.

Ken
Nadrek
Nadrek
SSCrazy Eights
SSCrazy Eights (8.9K reputation)SSCrazy Eights (8.9K reputation)SSCrazy Eights (8.9K reputation)SSCrazy Eights (8.9K reputation)SSCrazy Eights (8.9K reputation)SSCrazy Eights (8.9K reputation)SSCrazy Eights (8.9K reputation)SSCrazy Eights (8.9K reputation)

Group: General Forum Members
Points: 8940 Visits: 2741
First, Evernote's customer service response was indeed excellent! Not only owning up to the breach, but also forcing a password reset is good. Forcing a password reset with an upgraded password storage mechanism and better rules and checks for bad passwords is even better!

As far as companies not wanting to admit to a breach, even in unregulated industries without legal penalties, there are only four major choices:
1) Own up to it quickly. Customers will be upset, yes, but you will set the tone of the annoucement, and be able to start out by saying "We've fixed the issue already, but recently...". Like Evernote, if you can get users to change their passwords before the list is leaked to the public, you'll have less upset customers - unhappy, but not as unhappy.

2) See someone else post your password (hash) list publicly, very likely followed by security analysts, blogs, and news media (in large breaches, like the 50 million password Evernote one here, or Sony's recently) putting out stories before you can respond. In this case, you're very likely scrambling to respond, and may have increased civil (or criminal, depending) liability.

3) Hope you were hit by an honest extortion racket who will actually destroy the list if you pay them.

4) Something else.

Password lists do get posted publicly, used in competitions, analyzed for patterns, and so on, and they typically will be linked to who they were stolen from by customers recognizing their own password, by the password content, and so on. Once someone else has your password hashes, they can control the publicity if you don't get there first.
TravisDBA
TravisDBA
SSCertifiable
SSCertifiable (5.4K reputation)SSCertifiable (5.4K reputation)SSCertifiable (5.4K reputation)SSCertifiable (5.4K reputation)SSCertifiable (5.4K reputation)SSCertifiable (5.4K reputation)SSCertifiable (5.4K reputation)SSCertifiable (5.4K reputation)

Group: General Forum Members
Points: 5414 Visits: 3069
"Recently Evernote had a security breach and they forced all users to reset their passwords."


Of course, this assumes that you have a user community that even knows how to do this. We required a password reset about a year or so ago on on just two hundred users on just a particular application once, not an enterprise wide password reset involving thousands of users. It took over three weeks to get it done with massive assistance from the help desk, and sometimes people not getting it right three to five times of doing it (thus locking out their accounts), and then forgetting the password they reset it to just days later!!! Granted, this should be a walk in the park for most of us. But what you are forgetting here (and most of our management did as well) is how many users there are out there that have trouble just managing the CTRL-ALT-DEL key combination!! I am not kidding either guys, it was a major oversight and assumption on managment's part.. You can't assume anything when it comes to most end-users. When it comes to any solution to problems such as security breaches, or any other problems for that matter, the user community is not my first go to solution.:-D

"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum







































































































































































SQLServerCentral


Search