What’s your secret question redux

That recent Twitter hack relied on, guess what, resetting a password using secret questions.  Read the details here.

Mid week challange

Here is a little challenge, maybe not so little, to get your security juices flowing again.  It’s some security 101 stuff, that low hanging fruit that can close the door on a possible breach.  When was the last time you bounced your user accounts (Active directory, ‘nix, remote access) up against an active employee listing?  Against a list of active contractors/temps?  Do you even have such lists?  My experience has been it either never has been done, has been a while, or the lists do not exist.  The 2009 Verizon Data Breach Report noted several instances of breaches that were a direct result of active user accounts being used by recently terminated employees.  This is simple stuff that gets overlooked but goes a long way in improving your security posture.

If you are not a script writer like me take a look at DumpSec from the SystemTools folks. It’s a great little free app that will dump your Active Directory accounts (sorry ‘nix folks but you are better script writers than the Windows crew, right?) into a file for import into your favorite spreadsheet/DB.  Add your employee/contractor/temp lists, shake and stir, and viola!

What’s your secret question?

Passwords are our front doors to all sorts of sensitive data & information.  So what’s your Mother’s maiden name?  Read here.

Schecter’s paper. (PDF link)

Schneier’s take back in ’05.

Two cost of breach studies

For your weekend reading, here are some studies from the Ponemon Institute on the costs of data breaches.

The Fourth Annual Cost of a Data Breach PDF link. A related report is Ponemon’s 2008 Annual Cost of a Data Breach Study. Get it here (free registration required).

The Cost of a Lost Laptop PDF link.

Inside a data leak audit

E-mail can be a big source of potential data exposures.  Read here.

I like the advice that you have to take the encryption decision out of the senders hands, they will inevitably forget to encrypt something sensitive.

How to destroy digitally stored information

PCI, Federal, and many state PII regulations require the proper destruction of data when an organization is done with it.  Here is an overview from CSO on data destruction methods.

Data encryption done wrong

From the BBC…”The data lost was encrypted (on the USB) but the password had been written on a note which was attached when it was misplaced”…Ooops.  Read here.

Interesting read on Bank Card PIN hacking

From Wired Magazine…”Essentially, the thief tricks the HSM (hardware security module) into providing the encryption key,” says Sartin. “This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device.”   Read full text here.

Verizon’s annual Data Breach Investigation Report is out today…

Read a summary here.  Good advice in the lower half of the page…Note that most of the recommendations are practically free, it’s simple things we should already be doing.  Don’t over complicate security and lose site of the basics.

Here is a link to the report.  (PDF Link)

Looks like Symantec is getting on the bandwagon as well.  Read their Internet Security Threat Report Volume XIV April 2009 here (PDF Link).  The executive summary is here (PDF Link).

More on Massachusetts state data regulations “Leading the Charge”

I love Bruce Schneier’s comment in this article from SC Magazine.  The cost of doing business is truly changing.  Read here.

…he has no sympathy for companies reluctant to spend money on security.  “If it’s too expensive for you to collect personal information, don’t,” he says. “If you want the benefit of the data, pay the price”….