Last year a well known web host sent a message to its clients about a security breach of one of its employee accounts. They followed that with this thread in their forum.
"This morning, we sent a notification to a group of our customers possibly affected by a compromised employee account’s access to our internal customer management portal. We will be sending an additional communication to all customers with information about the apparent security breach, but in the meantime we would like to answer any additional questions about the communication in this thread.
Please understand that we will not provide specifics information about the security breach due to the sensitive nature of the investigation, but we will do our best to provide as much detail as possible. As we assured in the note, based upon our security review of access logs, we do not believe any credit card information was compromised.
We strongly suggest you implement a security best-practices approach by immediately taking four steps to mitigate risk:
•1. Change your xxxxx log-in passwords immediately and do so again every 60 days.
•2. Change your server passwords and do so again every 60 days.
•3. Be alert to any suspicious activity on your account.
•4. If you suspect any unusual activity, please retain your access logs along with any other information and contact us as soon as possible."
This should raise some questions.
What security measures do hosts normally have in place (regarding their employees) to protect their clients? Are they allowed to bring in usb thumb drives (some are marketed very cleverly looking like wrist bands or writing utensils)? What about PDA’s? Could they place data on these devices and simply walk out the door with gigabytes of files? Could those files be broadcast on the Internet, or used as blackmail?
They mentioned implementing a security best practices approach. Regardless of your level of comfort with your current host, these four suggestions need to be implemented to minimize your risk. I can’t emphasize this enough - your data is your business. Lose your data and you risk losing your business!
What about inside your own business?
The same applies to in-house servers and workstations. Most security breaches are by disgruntled employees. It’s amazing how many companies give administrative privileges to low level supervisors. Entire databases can be downloaded in minutes with thumb drives, then transported offsite.
What about security or IT audits?
Financial institutions have very strict guidelines with respect to security, but what about the thousands of small to medium sized firms that comprise the majority of businesses - your local printer, clothing retailer, auto repair shop, electrical contractors, car dealerships? How at risk is their data - and your data as their consumer? It’s astonishing how many firms broadcast unsecure Wifi networks. What’s more alarming is how easy it is to intercept and infiltrate their networks. How many times have we been alerted to intrusion theft of well known retailers, just in the past year?
Would an IT audit be worthwhile? Volumes of information has been written about IT audits and IT security. Do you trust your IT department to have fully provisioned and managed security? Most owners have no clue how vulnerable their companies are without a 3rd party audit.
My recommendation
Dot your i’s and cross your t’s with disaster recovery and business continuity plans. If you receive a notice like our web hosts comrades, follow their advice. Do it as a matter of habit. Being habitually secure is far better than being victimized with no recourse.
"This morning, we sent a notification to a group of our customers possibly affected by a compromised employee account’s access to our internal customer management portal. We will be sending an additional communication to all customers with information about the apparent security breach, but in the meantime we would like to answer any additional questions about the communication in this thread.
Please understand that we will not provide specifics information about the security breach due to the sensitive nature of the investigation, but we will do our best to provide as much detail as possible. As we assured in the note, based upon our security review of access logs, we do not believe any credit card information was compromised.
We strongly suggest you implement a security best-practices approach by immediately taking four steps to mitigate risk:
•1. Change your xxxxx log-in passwords immediately and do so again every 60 days.
•2. Change your server passwords and do so again every 60 days.
•3. Be alert to any suspicious activity on your account.
•4. If you suspect any unusual activity, please retain your access logs along with any other information and contact us as soon as possible."
This should raise some questions.
What security measures do hosts normally have in place (regarding their employees) to protect their clients? Are they allowed to bring in usb thumb drives (some are marketed very cleverly looking like wrist bands or writing utensils)? What about PDA’s? Could they place data on these devices and simply walk out the door with gigabytes of files? Could those files be broadcast on the Internet, or used as blackmail?
They mentioned implementing a security best practices approach. Regardless of your level of comfort with your current host, these four suggestions need to be implemented to minimize your risk. I can’t emphasize this enough - your data is your business. Lose your data and you risk losing your business!
What about inside your own business?
The same applies to in-house servers and workstations. Most security breaches are by disgruntled employees. It’s amazing how many companies give administrative privileges to low level supervisors. Entire databases can be downloaded in minutes with thumb drives, then transported offsite.
What about security or IT audits?
Financial institutions have very strict guidelines with respect to security, but what about the thousands of small to medium sized firms that comprise the majority of businesses - your local printer, clothing retailer, auto repair shop, electrical contractors, car dealerships? How at risk is their data - and your data as their consumer? It’s astonishing how many firms broadcast unsecure Wifi networks. What’s more alarming is how easy it is to intercept and infiltrate their networks. How many times have we been alerted to intrusion theft of well known retailers, just in the past year?
Would an IT audit be worthwhile? Volumes of information has been written about IT audits and IT security. Do you trust your IT department to have fully provisioned and managed security? Most owners have no clue how vulnerable their companies are without a 3rd party audit.
My recommendation
Dot your i’s and cross your t’s with disaster recovery and business continuity plans. If you receive a notice like our web hosts comrades, follow their advice. Do it as a matter of habit. Being habitually secure is far better than being victimized with no recourse.
I do agree about it speaking volumes - I'm going to do a follow-up on the HD blog on Friday, hopefully with quotes from FireHost and Mr. Mitnick intact.