March 25, 2013 at 9:28 pm
Comments posted to this topic are about the item A Good Security Response
March 25, 2013 at 9:42 pm
I worked for a bank for a number of years. We were very good about shredding everything, to the point that if any quantity of paper was found in the trash, the housekeeping staff would note the desk/name it was found at and drop the bag off at the Security Officer's desk for review. (There were a few write-ups, usually only once, on some to the staff.)
Ironically, the only large "breach" we had was when we had FDIC auditors in and one their laptops was stolen from the hotel room. There were 453 customer's financial details on the laptop. It was presumed stolen for the hardware, not the data.
We had to supply the customers with credit monitoring for a year along with prompt notification.
After that, I make it a point to build a shred pile on my desk (I print less than 50 pages a month generally), delete old data after a month, and occasionally run a wipedisk on the blank sectors of my drive. I do my troubleshooting of customer data on servers setup for the purpose.
I know -- tangential and paranoid -- but I don't want my butt fired for it. How many companies provide lunch three days a week. 😎
----------------
Jim P.
A little bit of this and a little byte of that can cause bloatware.
March 26, 2013 at 5:47 am
My husband's employer (state government) had a piece of media containing employee data misplaced - we were notified immediately and given three years of credit protection.
March 26, 2013 at 7:05 am
batgirl (3/26/2013)
My husband's employer (state government) had a piece of media containing employee data misplaced - we were notified immediately and given three years of credit protection.
Three years of credit protection. That's better than my state. 6 million Social Security Numbers were stolen from the state's tax department and all we got was a year of credit monitoring; they haven't notified us if our bank account information was also stolen.
March 26, 2013 at 10:40 am
I belong to something like 40 websites; financial, gaming, social networking, community (like this one). I use a password vault for most of these which makes it a little easier to vary my passwords without having to remember each one. But on the net we're constantly faced with the same tradeoff between convenience and tighter security.
Ken
March 26, 2013 at 10:50 am
First, Evernote's customer service response was indeed excellent! Not only owning up to the breach, but also forcing a password reset is good. Forcing a password reset with an upgraded password storage mechanism and better rules and checks for bad passwords is even better!
As far as companies not wanting to admit to a breach, even in unregulated industries without legal penalties, there are only four major choices:
1) Own up to it quickly. Customers will be upset, yes, but you will set the tone of the annoucement, and be able to start out by saying "We've fixed the issue already, but recently...". Like Evernote, if you can get users to change their passwords before the list is leaked to the public, you'll have less upset customers - unhappy, but not as unhappy.
2) See someone else post your password (hash) list publicly, very likely followed by security analysts, blogs, and news media (in large breaches, like the 50 million password Evernote one here, or Sony's recently) putting out stories before you can respond. In this case, you're very likely scrambling to respond, and may have increased civil (or criminal, depending) liability.
3) Hope you were hit by an honest extortion racket who will actually destroy the list if you pay them.
4) Something else.
Password lists do get posted publicly, used in competitions, analyzed for patterns, and so on, and they typically will be linked to who they were stolen from by customers recognizing their own password, by the password content, and so on. Once someone else has your password hashes, they can control the publicity if you don't get there first.
March 26, 2013 at 10:53 am
"Recently Evernote had a security breach and they forced all users to reset their passwords."
Of course, this assumes that you have a user community that even knows how to do this. We required a password reset about a year or so ago on on just two hundred users on just a particular application once, not an enterprise wide password reset involving thousands of users. It took over three weeks to get it done with massive assistance from the help desk, and sometimes people not getting it right three to five times of doing it (thus locking out their accounts), and then forgetting the password they reset it to just days later!!! Granted, this should be a walk in the park for most of us. But what you are forgetting here (and most of our management did as well) is how many users there are out there that have trouble just managing the CTRL-ALT-DEL key combination!! I am not kidding either guys, it was a major oversight and assumption on managment's part.. You can't assume anything when it comes to most end-users. When it comes to any solution to problems such as security breaches, or any other problems for that matter, the user community is not my first go to solution.:-D
"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply