BreachExchange mailing list archives
Re: Firms play Data Protection roulette
From: Peter Wood <peterw () firstbase co uk>
Date: Mon, 10 Jul 2006 07:16:13 +0100
We discussed recently the matter of real data in a test environment with a client. Frequently, when conducting an internal penetration test, we find copies of real data on development machines unprotected by passwords or encryption. Rather than try to insist that developers protect this real data properly, which is never going to happen, we suggested the following: (1) replace all name fields with alpha garbage (of the correct field lengths) so as to depersonalise the data (2) randomly swap fields such as city, zip code, credit card number etc. so that any given row of data is useless to a thief but still valid per range checks etc. Any views on this idea? Pete At 08:10 09/07/2006 -0700, George Toft wrote:
I think we should make a distinction between live data and real data. Some companies make copies of their live data and put it in their development environment(s) for development and testing. It's not live data, but it is certainly real. There are many benefits to using a copy of live data, but in today's reality, I think the risk to the business is too great to endorse this activity. I think it also might violate the spirit of "separation of duty" that most companies implement to keep developers out of production systems. Regards, George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067
-------------------------------------------------------------------- Peter Wood FBCS CITP MIEEE MIMIS CISSP Chief of Operations First Base Technologies Office: +44 (0)1273 454525 Mobile: +44 (0)7774 239915 www.fbtechies.co.uk www.white-hats.co.uk _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
Current thread:
- Firms play Data Protection roulette lyger (Jul 08)
- Re: Firms play Data Protection roulette Al Mac (Jul 08)
- Re: Firms play Data Protection roulette Saundra Kae Rubel (Jul 08)
- Re: Firms play Data Protection roulette Adam Shostack (Jul 08)
- Re: Firms play Data Protection roulette George Toft (Jul 09)
- Re: Firms play Data Protection roulette Peter Wood (Jul 10)
- Re: Firms play Data Protection roulette George Toft (Jul 10)
- Re: Firms play Data Protection roulette Saundra Kae Rubel (Jul 10)
- Re: Firms play Data Protection roulette Al Mac (Jul 08)
- Re: Firms play Data Protection roulette Chris Walsh (Jul 09)
- <Possible follow-ups>
- Re: Firms play Data Protection roulette Al Mac (Jul 10)