Re: Firms play Data Protection roulette

[Peter Wood <peterw () firstbase co uk>]

We discussed recently the matter of real data in a test environment 
with a client. Frequently, when conducting an internal penetration 
test, we find copies of real data on development machines unprotected 
by passwords or encryption. Rather than try to insist that developers 
protect this real data properly, which is never going to happen, we 
suggested the following: (1) replace all name fields with alpha 
garbage (of the correct field lengths) so as to depersonalise the 
data (2) randomly swap fields such as city, zip code, credit card 
number etc. so that any given row of data is useless to a thief but 
still valid per range checks etc.

Any views on this idea?

Pete

At 08:10 09/07/2006 -0700, George Toft wrote:
> I think we should make a distinction between live data and real data.
>
> Some companies make copies of their live data and put it in their
> development environment(s) for development and testing.  It's not live
> data, but it is certainly real.
>
> There are many benefits to using a copy of live data, but in today's
> reality, I think the risk to the business is too great to endorse this
> activity.  I think it also might violate the spirit of "separation of
> duty" that most companies implement to keep developers out of production
> systems.
>
> Regards,
>
> George Toft, CISSP, MSIS
> My IT Department
> www.myITaz.com
> 480-544-1067


--------------------------------------------------------------------
Peter Wood FBCS CITP MIEEE MIMIS CISSP
Chief of Operations
First Base Technologies
Office: +44 (0)1273 454525
Mobile: +44 (0)7774 239915
www.fbtechies.co.uk
www.white-hats.co.uk

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/errata/dataloss/