SANS Top 20 has competition!
SANS has just released their annual Top 20. I won’t bother linking to it — Google knows where to find it, and if you’re reading this blog, you probably do too.
Anyway, it seems like the SANS people have a bit of competition.
Check out this list:
- Failing to assess adequately the vulnerability of its network to commonly known or reasonably foreseeable Web-based attacks, such as structured query language injection attacks;
- Failing to implement simple, low-cost, and readily available defenses to such attacks;
- Storing in clear, readable text network administrator credentials, such as user name and password, that facilitated access to credit card information stored on the network;
- Failing to use readily available security measures to monitor and limit access from the corporate network to the Internet; and
- Failing to employ measures to detect unauthorized access to consumers’ credit card information.
Ooops! My bad.
This isn’t a list of the top five security bonehead moves. This is a list of the things the Federal Trade Commission says Guidance Software did, resulting in the loss of thousands of customers’ credit card information, in violation of federal law.
Guidance, of course, are the makers of enCase, the market-leading computer forensics tool. The company admits no wrongdoing, and has entered a consent decree with the FTC.