Lessons From the Most Interesting Breaches of The Year

Friday, December 03, 2010



Security Week's Noa Bar-Yosef has published her take of the most interesting data breaches of 2010.

While she points out the fact that there were no mega-breeches on the scale of Heartland Payment Systems, the largest breach of credit card data on record, she does find lessons to be learned from a few choice data loss events that occurred this year.

A synopsis of her findings:

Interesting Breach #1: Federal Aviation Administration (FAA) lessons:

Enforce data is accessed only by authorized parties - At a minimum, they should block access from former staff, or from other employees attempting to access the data beyond their need-to-know level.

Block access from any illegitimate application – Security controls should be able block an unauthorized process (the malicious code).

Interesting Breach #2: SQL Injection 2.0 lessons:

Block abnormal requests – for example, the injection of a malicious script.

Virtual Patching – this capability patches a known vulnerability externally by disallowing users to exploit the certain vulnerability.

Incorporates reputation controls – blocks or alerts requests originating from suspected malicious sources, or containing similar attack vector patterns.

Interesting Breach #3: Network Solutions Widget lessons:

Provide secure applications – companies should make sure that the applications they are creating and disseminating are secure. This includes a vulnerability mitigation process.

Continuously be on alert - companies should take heed that if they suffered from a single attack, it does not make the organization immune to a second attack. In fact, if we look again at the Ponemon Research Institute 2009 survey, they showed how 82% of their respondents suffered from more than one data breach which involved the loss of over 1000 sensitive records.

Complete descriptions of the breach events and additional details can be found in Noa's full article linked below.

Source: http://www.securityweek.com/lessons-most-interesting-data-breaches-2010

Possibly Related Articles:
SQl Injection Data Loss breaches Application Security Headlines FAA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.