Shostack + Friends Blog Archive


SANS Top 20 has competition!

SANS has just released their annual Top 20. I won’t bother linking to it — Google knows where to find it, and if you’re reading this blog, you probably do too.
Anyway, it seems like the SANS people have a bit of competition.
Check out this list:

  1. Failing to assess adequately the vulnerability of its network to commonly known or reasonably foreseeable Web-based attacks, such as structured query language injection attacks;
  2. Failing to implement simple, low-cost, and readily available defenses to such attacks;
  3. Storing in clear, readable text network administrator credentials, such as user name and password, that facilitated access to credit card information stored on the network;
  4. Failing to use readily available security measures to monitor and limit access from the corporate network to the Internet; and
  5. Failing to employ measures to detect unauthorized access to consumers’ credit card information.

Ooops! My bad.
This isn’t a list of the top five security bonehead moves. This is a list of the things the Federal Trade Commission says Guidance Software did, resulting in the loss of thousands of customers’ credit card information, in violation of federal law.
Guidance, of course, are the makers of enCase, the market-leading computer forensics tool. The company admits no wrongdoing, and has entered a consent decree with the FTC.

2 comments on "SANS Top 20 has competition!"

  • Rex says:

    Considering the amazing number of security breaches in (mostly government) computer networks handleing our private information these days, it would be good to know the “top 5 bonehead” mistakes made. One I would consider (and touched upon in a recent article here) was made recently in Lubbock TX – having privacy information on a computer sytem that they had no need to have (SSN’s of prospective employees). This information should have been collected later, and even then didn’t need to be on an exposed computer.

Comments are closed.