Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Lawsuits and Data Breaches


Lawsuits and Data Breaches

Author
Message
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36146 Visits: 18751
Comments posted to this topic are about the item Lawsuits and Data Breaches

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Phil Factor
Phil Factor
Right there with Babe
Right there with Babe (745 reputation)Right there with Babe (745 reputation)Right there with Babe (745 reputation)Right there with Babe (745 reputation)Right there with Babe (745 reputation)Right there with Babe (745 reputation)Right there with Babe (745 reputation)Right there with Babe (745 reputation)

Group: General Forum Members
Points: 745 Visits: 2937
I used to work closely with a security expert who installed an intrusion-detection system. Once it was in place, I was amazed how many attacks we faced, and how some were successful. It was the only way we got to know that they were successful too. It completely changed my way of thinking about security.
A lot of attacks seem to merely probes to determine weaknesses. Others, if successful, take effective control of the server, but in a way that is generally undetected, and this is only used later. Very few successful attacks result in your customer database being offered on a Russian website. You probably don't know when your network is successfully compromised.
You have to know about as many attempts at intrusion as possible and your applications and database need to be instrumented well enough to alert you to any possible intrusion. If you don't, then it is like having a castle or fort without any guards.
Database Security is a boring topic. Security presentations at PASS or SQL Saturday seldom run to packed houses, but it is one of the most important areas of knowledge that a developer and DBA can possess. I recommend Denny Cherry's book as a really good introduction to SQL Server security
My worst experience? When an employee with a crazy grudge (an affair with another employee) sold his SQL Server login to some bandits when he left the company. I should have changed it before, I know, but security isn't an exciting topic until you get hit.


Best wishes,

Phil Factor
Simple Talk
Gary Varga
Gary Varga
SSCrazy Eights
SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)

Group: General Forum Members
Points: 8358 Visits: 6161
We should be doing the right things and be seen to be doing them. Except for a possible small number of exceptions, I would hazard a guess that the majority of hackers are either criminals or cyber-vandals. As such I would expect both groups to be more interested in easier targets (no pun intended). Criminals will want to maximise their gains from low risk/low effort activities whilst cyber-vandals are more likely to be interested in high profile results possibly without serious amounts of talent.

This is the classic scenario of not necessarily being able to make the situation impossible rather than make it difficult to a level that there are easier targets available.

Also by taking the appropriate steps then stakeholders should attain a level of reasonable confidence. It may also provide evidence that due diligence was performed in a more legal setting.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Gary Varga
Gary Varga
SSCrazy Eights
SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)

Group: General Forum Members
Points: 8358 Visits: 6161
Phil Factor (2/25/2014)
...A lot of attacks seem to merely probes to determine weaknesses. Others, if successful, take effective control of the server, but in a way that is generally undetected, and this is only used later. Very few successful attacks result in your customer database being offered on a Russian website. You probably don't know when your network is successfully compromised...

Sometimes our systems are just used as a launch pad for other attacks in order to preserve the attackers anonymity and provide an attack vector from a possibly legitimate source.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
EricEyster
EricEyster
SSC Veteran
SSC Veteran (296 reputation)SSC Veteran (296 reputation)SSC Veteran (296 reputation)SSC Veteran (296 reputation)SSC Veteran (296 reputation)SSC Veteran (296 reputation)SSC Veteran (296 reputation)SSC Veteran (296 reputation)

Group: General Forum Members
Points: 296 Visits: 520
Gary Varga (2/25/2014)
Phil Factor (2/25/2014)
...A lot of attacks seem to merely probes to determine weaknesses. Others, if successful, take effective control of the server, but in a way that is generally undetected, and this is only used later. Very few successful attacks result in your customer database being offered on a Russian website. You probably don't know when your network is successfully compromised...

Sometimes our systems are just used as a launch pad for other attacks in order to preserve the attackers anonymity and provide an attack vector from a possibly legitimate source.


Many websites simply do not have the economic benefit for the hacker. Hack SSC and you get some passwords that are hopefully not used on other sites. Hack Target and you get millions of credit cards.
jay-h
jay-h
SSC Eights!
SSC Eights! (925 reputation)SSC Eights! (925 reputation)SSC Eights! (925 reputation)SSC Eights! (925 reputation)SSC Eights! (925 reputation)SSC Eights! (925 reputation)SSC Eights! (925 reputation)SSC Eights! (925 reputation)

Group: General Forum Members
Points: 925 Visits: 2222
Gary Varga (2/25/2014)
We should be doing the right things and be seen to be doing them. Except for a possible small number of exceptions, I would hazard a guess that the majority of hackers are either criminals or cyber-vandals. As such I would expect both groups to be more interested in easier targets (no pun intended). Criminals will want to maximise their gains from low risk/low effort activities whilst cyber-vandals are more likely to be interested in high profile results possibly without serious amounts of talent.

This is the classic scenario of not necessarily being able to make the situation impossible rather than make it difficult to a level that there are easier targets available.

Also by taking the appropriate steps then stakeholders should attain a level of reasonable confidence. It may also provide evidence that due diligence was performed in a more legal setting.


It does not appear that Target was that easy. They did not hit Target directly, they hit the third party card readers, gaining access through another third party (HVAC system maintenance). They used a RAM scraper to grab info during the short time while it was not (could not be) encrypted.

The point I see from this is that there are, and will ALWAYS be attack points that are outside of your control. To paraphrase the old STD public health warnings, it's not just your vendors and customers to worry about, but all of their vendors and customers as well.

I find it absurd, though, that the government is threatening more legal sanctions for security leaks when they can't even keep their own house in order (NSA anyone?)

...

-- FORTRAN manual for Xerox Computers --
Jim Youmans-439383
Jim Youmans-439383
SSC Journeyman
SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)

Group: General Forum Members
Points: 98 Visits: 454
I use to work for a company that was in the health care business. We had databases full of PII (Name, Address, SSN, DOB, Insurance Membership, etc.) and none of it was encrypted. It was also copied from PROD to QA to DEV and sent overseas to our India office.

I complained loud and long about how dangerous this was and how we need to secure this data. Finally the Directory of Security for my company called me into his office and basically read me the riot act and told me I need to shut up. They were aware of the issues and were working on them and that if the clients found out about this, we could lose business.

I started looking for a new position that afternoon. I still have friends who work there and now, almost 16 months later, nothing has changed.

And from what I understand from other friends, this is more the norm than the exception.

It blows my mind!
GoofyGuy
GoofyGuy
SSC-Addicted
SSC-Addicted (409 reputation)SSC-Addicted (409 reputation)SSC-Addicted (409 reputation)SSC-Addicted (409 reputation)SSC-Addicted (409 reputation)SSC-Addicted (409 reputation)SSC-Addicted (409 reputation)SSC-Addicted (409 reputation)

Group: General Forum Members
Points: 409 Visits: 971
Steve Jones wrote:

We, and the businesses that employ us, should be incorporating analytics into our defenses to detect abnormal actions ...


Which seems to be what products from cyber security vendors like Aorato do.

[Disclaimer: I'm not associated with Aorato in any way. I did try getting our data security officer interested in Aorato's software, but he just sniffed and went about his business. Maybe he'll pay more attention when some big data breach happens here.]
David.Poole
David.Poole
Hall of Fame
Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)

Group: General Forum Members
Points: 3682 Visits: 3118
In theory in the UK the data protection registra can send the CEO of a company in breach of legislation to prison.

Having data without security is like driving without insurance.

You have to consider all of the following and more:-

  • Encrypting data in the database

  • Encrypting data in the backups

  • Data security in electronic transport. SSL certificates etc

  • What machines are allowed to talk to a DB server and if possible what processes

  • Data security in transport. Physical media, backup tapes, DVDs, USB

  • Separation of data with different security concerns

  • RACI matrix for who has access to what and at what level

  • RACI matrix for who has authority to specify access and to grant it

  • How security is monitored/audited

  • What business processes are in place for security breaches. This has to include escalating up the chain of command.

  • Business process for handling requests under the Freedom of Information Act or ICO requests

  • ...etc



In short there is a lot to think about with regard to security and as said earlier its not just doing it, its being seen to do it.

LinkedIn Profile

Newbie on www.simple-talk.com
Gary Varga
Gary Varga
SSCrazy Eights
SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)

Group: General Forum Members
Points: 8358 Visits: 6161
At a recent client's (I do not want to identify them as this story is specific but I find it generally applicable) the development team were forced to update configuration files with security information (credentials etc.) of the production systems. This place, like many, totally understood that giving the developers of software details of the production environment was not a good practice and was against their own security rules (the term "in breach" was used). The team whose responsibility it was to deploy and configure software in all non-development environments refused to take up the configuration of a new system. The claim was that they did not have time to learn how to do it. It eventually got into production and the development team was still being emailed server names, security principal credentials, etc. I raised the concern that, although the individuals being given the details were completely trustworthy, a key security principle was being deliberately ignored.

I think that it will take at least one high profile case where senior members of staff are actually held to account by a court of law (instead of it being an empty threat) for any cultural change to occur. I think we need an Enron moment; we have the equivalent of Sarbanes-Oxley (regulation) but what we don't have is a precedent of punishment for non-compliance.

Don't get me wrong; I do not want to see people go to jail but I do want well known best practices applied and the employment of them actively supported by the appropriate management.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search