Sister CISA CISSP

Feb 29 2008   3:37PM GMT

It Makes Me Tear My Hair Out #1

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

Visa, in conjunction with the US Chamber of Commerce, has published an alert that identifies the leading causes of data breaches. Full details can be found at the Chamber’s website. The five leading causes of card-related breaches are:

1) Storage of mag stripe data
2) Missing or outdated security patches
3) Use of vendor supplied default settings and passwords
4) SQL injection
5) Unnecessary and vulnerable services on servers

Why tear my hair out? Numbers 2, 3, and 5 shouldn’t be on this list. We’ve had how many warnings and regulations and requirements about patches, default settings and unnecessary services? And business wonders why it needs regulatory requirements. Because these bad business practices happen routinely. Because too many business owners don’t want to spend the money to secure their systems.

Just four months ago I did an audit of two online MSSQL databases, only to discover their administrative SA IDs had been left in the default configuration of “no password.” Why do we keep dropping the ball? Crooks are dumb, but they’re not that dumb.

Last year I interviewed a VP development of an online marketing software for a clothing retailer. When I asked him what steps he was taking to address SQL Injection, he replied, “What’s SQL Injection?”

Well, I’ve used up my italics for the day. Sigh.

But the Chamber website has some really nice papers and templates for those looking to get started with security policies and procedures. Good for them!

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: