April 12, 2005

Ten Tips for Corporations to Protect Customer Information from Identity Theft

Cyberguard sent out an interesting press release today that provides "Ten Tips for Corporations to Protect Customer Information from Identity Theft".

The list is pretty self explainatory:

  1. Unless there is a specific reason that personal information is being stored, get rid of it. If information needs to be there, set a timetable for its length of stay and when it can be disposed of.
  2. Make sure that the server holding personal information is isolated to its own network with limited access. The network should be secured/protected by a strong firewall that protects from attacks at the network, protocol and most importantly the application layer.
  3. The server that contains the personal information should NOT allow direct connectivity to any user on the public Internet.
  4. The isolation of the database server should provide protection not only from the Internet but from other Internet facing servers as well as the internal network.
  5. Under no circumstance should the database server be permitted to initiate connections to the Internet.
  6. The controls afforded by the application layer defenses must include the ability to control not only what the database can query, but the explicit commands that can be run, as well as the number of responses per query.
  7. Both the security mechanisms and the database server should be operated on kernel hardened operating systems to mitigate the risk of operating system bugs or vulnerabilities.
  8. Strict controls of who can access the server should be in place, be enforced, and reviewed to validate the need for access rights.
  9. A multi-defense is your best defense; take full advantage of both security mechanisms available within the database application and strong encryption as well as security mechanisms of the application level firewall.
  10. All communication of personal data sent to/from the database across public and private networks should be permitted over encrypted channels (HTTPS / SSL SSH).

Posted by SilverStr at April 12, 2005 10:14 AM | TrackBack
Comments

Interesting press release. One has to wonder about it...most of the recommendations are common sense, and things that should have been implemented a long time ago.

3. The server that contains the personal information should NOT allow direct connectivity to any user on the public Internet.

You know, my first thought was, "duh"...but then, I have to remember all of the incidents that occur because this simple edict isn't followed.

10. All communication of personal data sent to/from the database across public and private networks should be permitted over encrypted channels (HTTPS / SSL SSH).

Permitted? How about "required"?

The most important points about security weren't made...you have to have management that requires, supports, and endorses security policies, and you have to hire people capable of doing the things required to put the technical security measures in place, and to monitor them. Without those two, the 10 items listed by Cyberguard are pointless.

Finally, I'm not sure any of these would have prevented the ChoicePoint incident...

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Posted by: H. Carvey at April 13, 2005 05:48 AM