OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Dataloss] Firms play Data Protection roulette

From: Peter Wood (peterwfirstbase.co.uk)
Date: Mon Jul 10 2006 - 01:16:13 CDT


We discussed recently the matter of real data in a test environment
with a client. Frequently, when conducting an internal penetration
test, we find copies of real data on development machines unprotected
by passwords or encryption. Rather than try to insist that developers
protect this real data properly, which is never going to happen, we
suggested the following: (1) replace all name fields with alpha
garbage (of the correct field lengths) so as to depersonalise the
data (2) randomly swap fields such as city, zip code, credit card
number etc. so that any given row of data is useless to a thief but
still valid per range checks etc.

Any views on this idea?

Pete

At 08:10 09/07/2006 -0700, George Toft wrote:
>I think we should make a distinction between live data and real data.
>
>Some companies make copies of their live data and put it in their
>development environment(s) for development and testing. It's not live
>data, but it is certainly real.
>
>There are many benefits to using a copy of live data, but in today's
>reality, I think the risk to the business is too great to endorse this
>activity. I think it also might violate the spirit of "separation of
>duty" that most companies implement to keep developers out of production
>systems.
>
>Regards,
>
>George Toft, CISSP, MSIS
>My IT Department
>www.myITaz.com
>480-544-1067

--------------------------------------------------------------------
Peter Wood FBCS CITP MIEEE MIMIS CISSP
Chief of Operations
First Base Technologies
Office: +44 (0)1273 454525
Mobile: +44 (0)7774 239915
www.fbtechies.co.uk
www.white-hats.co.uk

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/errata/dataloss/