« Visa Sets Own PCI Standard | Main | Effective Security Must Be Proactive: A Podcast with Top Layer Networks »

I've always liked the Philip Roth statement about getting older: Old age isn't a battle, it's a massacre. But one of the few advantages to growing older is wisdom. An article at Dark Reading shares 5 stories of security lessons learned, which I hope will provide the most precious of resources: security wisdom. The lessons follow:

1) The CIO of a large ecommerce site hired a third-party for penetration testing. What he forgot, though, was to tell them to leave the CEO's email off the test list. So when the pen testers flooded the company with all sorts of garbage to uncover the holes, they managed to take down the CEO's email account along with the head of HR. But that's not the worst of it. Once they delivered the results (with a CD-ROM in the mail), they sent them the diagnostics for the wrong company. Just imagine your networks deepest darkest security vulnerabilities falling into someone else's hands.

Lesson Learned: Do due-diligence on the security companies you do business with.

2) A manager of a database vendor received a call that a server was running out of disk space. That was odd, because the manager hadn't loaded much onto the machine, which was used mostly to access to web and for FTP. Looking onto the server, the admin found a bunch of files that he and his staff had nothing to do with. Essentially, the FTP site was being used as a distribution site.

Lesson Learned: When setting up an FTP site, be careful to allow uploads, but not downloads, otherwise it will be open for public distribution.

3) An admin needed to do proof-of-concept testing on a security-event-management (SEM) product that his company was considering buying. And while it would seem the most difficult aspect of any security product would be to convince the accounting department to spend the money, in fact it was another IT department, perhaps fearing for their jobs, or the big-brother like oversight of SEM technology, that resisted, and the company went on to purchase the product without completing testing.

Lesson Learned: Security upgrades aren't always greeted by every department with open arms, so with every new software product you need both buy-in and prioritization.

4) An employee at a company was caught breaking company security policy, and it became the IT admin's job to take that person's laptop away. In the midst of retrieving the company's laptop, the employee returned, and what up-to-that-point had been a highly rational and reasonable employee immediately turned violent.

Lesson Learned: Always assume an employee is going to be hostile and violent during any security incident, so bring back-up.

5) A commercial website operator had all the outside ports and addresses fully locked down from intruders, but when a customer complained that the company had sold their email address to spammers (some people open an email account specifically to give to a single ecommerce site), something was clearly going on. The problem was a CGI script that had provided an inadvertent entry point for a Chinese spammer.

Lesson Learned: Make sure that code written internally is not available externally, and you can do that by keeping a close watch on the logs to see what the traffic patterns on your site.

To read the full article, go to Dark Reading.

Posted by pschooff in |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2818