Weekly Industry Round-up, Week of 5/17
Posted by hyperguard on May 21, 2010
Rejecting Injections, to Protect Customer Records
Last month, the Financial Industry Regulatory Authority announced that it was fining Montana-based broker-dealer D.A. Davidson $375,000 for failing to protect customer information. This shows that protecting servers and educating employees about server design are the best first lines of defense. Davidson did not employ technical safeguards to protect customer records stored in a database housed on a Web server with a constant open Internet connection. In addition to employing code security and a scanner, organizations need a Web application firewall that looks at traffic to and from the server to check for SQL attacks and other vulnerabilities.
IT Knowledge Exchange…
SQL Injection Attack Used in Breach of 168,000 Netherlands Travelers
An attacker has discovered a serious flaw in a website set up to encourage the use of smart cards for public transportation in the Netherlands, resulting in the leakage of personal information of more than 168,000 travelers. Information about the flaw was exposed by an anonymous hacker who gave the magazine a video demonstrating the error using a SQL injection attack. The hacker told the magazine that he made the flaw publicly available because there is no excuse for simple website mistakes.
Andy IT Guy…
Why Compliance is Chosen over Security
In this post, Andy discusses an article by Kevin Beaver about how the business continues to choose compliance over true security even though the security people know that it’s a bad idea. Andy says those who do understand still are not doing a good job translating the danger into a language that the business understands. He says the cost/benefit trade-off is not enough for management to buy—they would rather accept the risk, take the chance and deal with the consequences. Also, there is no guarantee that Security X will prevent a breach but you can be sure that it will quiet possibly break something and/or cause lots of user issues.