Security Week's Noa Bar-Yosef has published her take of the most interesting data breaches of 2010.
While she points out the fact that there were no mega-breeches on the scale of Heartland Payment Systems, the largest breach of credit card data on record, she does find lessons to be learned from a few choice data loss events that occurred this year.
A synopsis of her findings:
Interesting Breach #1: Federal Aviation Administration (FAA) lessons:
• Enforce data is accessed only by authorized parties - At a minimum, they should block access from former staff, or from other employees attempting to access the data beyond their need-to-know level.
• Block access from any illegitimate application – Security controls should be able block an unauthorized process (the malicious code).
Interesting Breach #2: SQL Injection 2.0 lessons:
• Block abnormal requests – for example, the injection of a malicious script.
• Virtual Patching – this capability patches a known vulnerability externally by disallowing users to exploit the certain vulnerability.
• Incorporates reputation controls – blocks or alerts requests originating from suspected malicious sources, or containing similar attack vector patterns.
Interesting Breach #3: Network Solutions Widget lessons:
• Provide secure applications – companies should make sure that the applications they are creating and disseminating are secure. This includes a vulnerability mitigation process.
• Continuously be on alert - companies should take heed that if they suffered from a single attack, it does not make the organization immune to a second attack. In fact, if we look again at the Ponemon Research Institute 2009 survey, they showed how 82% of their respondents suffered from more than one data breach which involved the loss of over 1000 sensitive records.
Complete descriptions of the breach events and additional details can be found in Noa's full article linked below.