Thursday, October 15, 2009

Don’t say a Word

………………………………………………….….oh, you’re waiting for me?  This will probably be a short post since there are not that many security terms that begin with the 17th letter of our alphabet.  However, keeping Quiet is a common theme in security.  As mentioned numerous times, locking passwords, logins, and other sensitive information in your mouth vault keeps them from leaking to others.  Social Engineering has always been about compromising that vault.  Recently there was a post by Roger Thompson, AVG’s Chief Research Officer, which actually suggested to Write Down your passwords, especially complex, hard to remember passwords.  While this practice has been frowned upon for many years – as in the ever popular post-it’s stuck to laptops – there is some sense in creating (and writing down) difficult passwords that are extremely hard to guess.  Just put that paper in a safe location.  Our own Alan Murphy offered some advice about passwords just a few months ago.




Keeping Quiet is also what most companies do when they discover a breach, at least initially.  A survey from the 2008 RSA conference showed that 89% of security incidents go unreported.  More often it’s the insider breaches that say under the covers.  Some of that could be due to just being undetected but many companies don’t want the public exposure of a breach.  Laws have changed some of that and huge breaches, like the Heartland incident, must be reported so people can protect themselves.  Even the Heartland incident wasn’t detected for a couple months, and when it was, it didn’t get reported for yet another month.  Granted, sometimes law enforcement does ask victims not to say anything so evidence can be gathered and, as to not tip off the crooks.  In any event, keeping quiet about a breach happens more often than you think and it’s often due to the fear of a damaged reputation.  Of course there is an opposing view to the damage factor by Larry Walsh where he talks about the multitude of brands who have suffered major breaches and how consumers have either forgotten or forgiven.

While silence can be golden and rests are written into music for effect, when it comes to Data Breaches not saying a word can put your business in jeopardy and in the cross-hairs of the law.
ps

No comments:

Post a Comment