Secure Your 2012!

In This Issue:

• Security Topic of the Month
• The Security Samurai
• StillSecure SOCs Stats from 2011

Security Topic of the Month

…To breach or not to breach; that is NOT the question

BY JACK CALLAGHAN, SENIOR SECURITY RESEARCHER

As 2011 ended, Stratfor (U.S.), CSDN & TIANYA (China), all experienced serious breaches of customer information and intellectual property. Much of the compromised data resided on network-accessible systems and was stored in clear text or easily decrypted formats.

TIANYA, a social networking service, set a hacking record with 40 million users compromised in a single breach. Unfortunately, this alarming new trend of large-scale breaches continues, as Zappos, the online-retailer, announced a loss of an estimated 24 million users records to start off 2012. As a result the company immediately began the process of mitigation with the following measures:

• Mass notification mailings to customers
• Mass notification mailings to employees:
  • An all-hands-on-deck effort to field and respond to customer service inquiries

Such a breach affects not only the customer who entrusts data to the vendor, but can critically impact business operations. Zappos had to shut down all phone services and aggressively apply considerable resources to remediate the issue.

• Proper protection of information reduces risk of exposure
• Network-accessible content demands encryption-at-rest
• Information should be gathered and defended based on need-to-know and requirements-to-secure.
• Privacy data is best kept on database servers and not directly accessible from the network, with best practice secure coding standards (OWASP)
• Credit card data should be kept secure and only as directed by regulatory compliance standards (e.g. PCI DSS 2.0)
• Do not store any non-critical data on your network
• Avoid collecting unnecessary data in business transactions to make data protection easier.
• Storing a portion of a SSN w/common personal info can expose the whole SSN. Laws and regulations exist to prohibit this.

The Security Samurai

Have a Better 2012 by Having a Better Password

Based on the blog post "New Year, New Password" written by StillSecure SOC Analyst Daniel Cabarcos.
Click here to view the full post.

With the recent breach at Zappos in mind, reevaluating your password might be a good idea for the New Year. Below is a summary of tips to review when creating a good password.

When choosing a password...

Don't choose:

1. A known word (even with a number behind it)
2. A name with a date
3. A password from last month with a 1 added at the end (and then the next month a 2 then 3 etc ...)
4. And definitely not "PASSWORD" (yes, we had to say it)

Do choose:

1. At least 8 characters with lowercase, uppercase, numbers and symbols
2. Something unique for each site - this would protect you if your password is compromised from a vulnerable site, i.e. Zappos.

We recommend using a program or a phone app to store your passwords and not to use a sticky on your desk, monitor or somewhere in the line of sight. There are many apps out there that provide this service. Find one that fits your workflow best.

Cheers to a more secure 2012!

StillSecure SOCs Stats for 2011

The StillSecure SOCs (Security Operations Centers) did an amazing job in 2011 protecting your network. Of the tens of millions of security events processed last year our team's average response time was an impressive 40 seconds! In addition, despite their vigilant attention to our customers' networks we were still able to answer 99.93% of all calls to the StillSecure SOCs in less than 10 seconds. They really do knock our SOCS off!