What’s your secret question redux

That recent Twitter hack relied on, guess what, resetting a password using secret questions.  Read the details here.

Nevada mandates PCI-DSS

Nevada is the first state to pass legislation that requires companies doing business in the state processing credit cards to comply with the PCI-DSS.  Suprising they beat Cailfornia to the punch, but I suspect other states will follow suit in short order.  Read here.

MasterCard – On-site assessments extended to level 2 merchants

Looks like as far as self assessments are concerned MC thinks the fox hasn’t been guarding the hen house very well.  Starting in Dec 2010 level 2 merchants will have to undergo on-site security assessments ala level 1 merchants.  Even though this is a MC only requirement the effect will be felt by all level 2 merchants.  Read here.

Mid week challange

Here is a little challenge, maybe not so little, to get your security juices flowing again.  It’s some security 101 stuff, that low hanging fruit that can close the door on a possible breach.  When was the last time you bounced your user accounts (Active directory, ‘nix, remote access) up against an active employee listing?  Against a list of active contractors/temps?  Do you even have such lists?  My experience has been it either never has been done, has been a while, or the lists do not exist.  The 2009 Verizon Data Breach Report noted several instances of breaches that were a direct result of active user accounts being used by recently terminated employees.  This is simple stuff that gets overlooked but goes a long way in improving your security posture.

If you are not a script writer like me take a look at DumpSec from the SystemTools folks. It’s a great little free app that will dump your Active Directory accounts (sorry ‘nix folks but you are better script writers than the Windows crew, right?) into a file for import into your favorite spreadsheet/DB.  Add your employee/contractor/temp lists, shake and stir, and viola!

Overworked government workers flub..

It’s no big story that a government office has manged to release sensitive information again.   It’s the excuse in the second half of the article I find disturbing.  In a statement from a Government Printing Office (GPO) spokesman they suggest the error was due to the “sheer volume” of documents the GPO processes.  Read entire article here.

“On average, the GPO produces “approximately 160 House documents each Congress,” the statement said. During the 109th Congress, the GPO produced 157 reports, while in the 110th Congress, 161 reports were published, the statement said.”

That’s 160 WHOLE documents?  Am I missing something?  That works out to less than 1 document a day, assuming they are all processed during the session (if my math is correct .65 per day is the result of 157 docs /242 days).  I’ll email Mike over at Dirty Jobs to see if he is up for the challenge.

What’s your secret question?

Passwords are our front doors to all sorts of sensitive data & information.  So what’s your Mother’s maiden name?  Read here.

Schecter’s paper. (PDF link)

Schneier’s take back in ‘05.

Two cost of breach studies

For your weekend reading, here are some studies from the Ponemon Institute on the costs of data breaches.

The Fourth Annual Cost of a Data Breach PDF link. A related report is Ponemon’s 2008 Annual Cost of a Data Breach Study. Get it here (free registration required).

The Cost of a Lost Laptop PDF link.

Inside a data leak audit

E-mail can be a big source of potential data exposures.  Read here.

I like the advice that you have to take the encryption decision out of the senders hands, they will inevitably forget to encrypt something sensitive.

How to destroy digitally stored information

PCI, Federal, and many state PII regulations require the proper destruction of data when an organization is done with it.  Here is an overview from CSO on data destruction methods.

PCI’s Grading System Is Failing

The author discusses the concept of bringing risk analysis into the compliance grading process.  Sounds very sensible to me.  I am of a mind that for most large organizations being 100% compliant with PCI is a fleeting task.  I would rather ensure that high risk exposures are thoroughly identified, mitigated, and monitored than attempt to do a less than adequate job across the board to achieve an appearance of 100% compliance.  Read here.