BreachExchange mailing list archives
Re: rant: Abandon Ship! Data Loss Ahoy!
From: hobbit () avian org (*Hobbit*)
Date: Sat, 22 Mar 2008 19:19:26 +0000 (GMT)
Can I offer a little sideways perspective on this? I want to touch on *complacency*, i.e. the little ruts people get into which are largely driven by stupid defaults in application programs -- such as email clients. Take a thorough look through the enclosed, which is one of the recent messages in this thread in its full glory as it rolled in here, without hiding behind any of the formatting stuff that your mail-clients may be automatically applying to render it in some more palatable format. This, folks, is what's really going on underneath, and I'd like to draw your attention to several aspects that everyone should be thinking about: Blind top-posting -- do you think everyone's short-term memory is really that bad? What point[s] do you think you're responding to, since you didn't do the courtesy of pulling them out specifically? Multiple levels of useless re-quote Numerous repeats of the list trailer tag and "Tenable" ad Those annoying and completely ineffective "confidentiality" tags -- think about how even more useless they are in a block REQUOTE of a message, at which point you've totally lost control over where any of that data is going All the bloated microsoft-flavor dreck in the HTML part Does anyone really think any one READS all that re-quoted junk? Wouldn't it be better to just leave it off, make a policy of not including it, and save everyone a little bandwidth [and in my mind, credibility as to one's competence in dealing with email]? Is this festival of fluff what you want out there as your professional image? What if this exchange were an in-house discussion of some truly sensitive material, which at some point suffered a leak along the way? With a single message like the below escaping due to fat-fingering or malfeasance or whatever, now an intruder has the WHOLE context captured starting from zero, where if the people involved had instead sent only the amount of info needed to continue the discussion to those who already know what's being discussed, that would leave much remaining to guesswork. As you look through the trashpile below you may begin to see that it would give away fewer details about your own computing environment, too. It is easy to restore plenty of context in one or two sentences if you really think your audience has totally forgotten what was going on in the meantime. And far and away makes your added points more effective. Ideas similar to this should be part of solid working policy, too. So please give this some thought, and get into those configuration screens and uncheck those "quote entire message" and "send HTML format" checkboxes. Break out of the complacency box and think about what you're really doing. Help make the net a cleaner and quieter place, and protecting your own interests that much easier. You and your colleagues will someday thank me for pointing it out. _H* === forwarded mess follows === From: "Eric Nelson" <enelson () secureprivacysolutions com> To: "'Tracy Blackmore'" <tblackmore () tslad com>, "'James Ritchie, CISA, QSA'" <james_ritchie () sbcglobal net>, <dataloss () attrition org> Date: Thu, 20 Mar 2008 20:39:38 -0700 Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! This is a multipart message in MIME format. --===============1734797476== Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01C88ACA.892D3F90" Content-Language: en-us This is a multipart message in MIME format. ------=_NextPart_000_0007_01C88ACA.892D3F90 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I absolutely agree - securing information is only a part of privacy laws and principles. A culture of security and privacy starts with an understanding of the company's culture, recognition of privacy and security as a risk, an understanding of applicable laws and regulations (GLBA, FACTA, FTC Fair Information Practices, etc.), and policy development that includes both privacy and security policies. Tracy's comments below, who, what, when, where, and why, should apply to both processes ("hands-on") and technology controls. Technology can support those policies, but it's ongoing training and awareness that will truly develop a culture of privacy. Management and employee performance reviews should include privacy and security awareness as a key metric, especially in a business process or role that has access to customers or customer data. Great discussion - Eric Nelson, CIPP President Secure Privacy Solutions www.SecurePrivacySolutions.com From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Tracy Blackmore Sent: Thursday, March 20, 2008 2:50 PM To: James Ritchie, CISA, QSA; dataloss () attrition org Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! Something I haven't seen in this thread is... Many companies give either consultants or manufacturers loads of money to 'secure' them or 'verify' that they are secure. being a consultant myself I've seen this all too often. This (obviously) does little to actually secure anything! To properly secure something companies must create a culture of security - starting with solid policies that are more than pieces of paper that sit in a book until the auditor needs them. Only with these policies that define the who, what, when, where, why, and how can good controls be put into place that support those policies. Any old fool can purchase a firewall and put it on the network - but I could tell you stories of how many I've come across with the old Any/Any rule because of lack of proper policies. And then companies like Qualys... I think they offer a great service - but too many companies think that just because they use that service that they are secure. Qualys does NOTHING but offer information. How a company uses that information, if at all, is up to the company! Me personally? I'd take security out of the hands of the IT department! Give it to a non-IT CSO who is dedicated to developing that culture of security with the proper policies to back it up. With that, proper guidance can be passed on to the IT department to deploy the controls necessary to support them. Tracy Blackmore, CISSP Independent Consultant T.S. Lad, Inc. www.tslad.com _____ From: dataloss-bounces () attrition org on behalf of James Ritchie, CISA, QSA Sent: Thu 3/20/2008 1:44 PM To: dataloss () attrition org Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! Being compliant does not mean being secure and being secure does not mean being compliant. What most people forget with all the compliance is that constant vigilance must be maintained. Does that mean daily, weekly, monthly, quarterly, or annually that you have to verify that the controls are working appropriately? What I think will be the outcome is if appropriate due diligence and due care can be shown as fact, the liability will be reduced or eliminated. They will compare the actions taken and of similar size companies to see if what they had done was appropriate. To make any company 100% secure, the cost of security would be so prohibited, the company would be bankrupt. There has to be a balance and reasonable effort shown. Adam Shostack wrote:
On Thu, Mar 20, 2008 at 10:13:08AM -0500, Allan Friedman wrote: | > On the public policy issue, I agree. If you want companies to
disclose
| > the exact circumstances around a breach (exact technical details),
there
| > will have to be a shield that prevents plaintiffs attorney's from
using
| > the information in lawsuits. | | You highlight an interesting trade-off. It may be the case that more | disclosure would reduce incentives to prevent future breaches, | depending on how we understand the problem. | | A standard policy tool for enforcing maximum diligence is the threat | of lawsuits, massive ones that can wreck a corporation. If we follow | this liability argument (as advanced by Schneier and other scholars of | the economics of information security) then making concessions to | corporate defendants can impede the end goal of less data retention | and greater data protection. | | If we don't think we're ever going to get there, then more data about | breaches for the purposes of research is clearly the greater good. | This is a very interesting dynamic. I'll have to think about how to | model it... For this policy to be effective, costs must be aligned with a failure to take effective measures. Today, we lack the data to asses how effective various 'best practices' or standards are. Gene Kim and company have done work showing that a few part of COBIT are key, and others are not correlated with they outcomes they studied. (There's a CERIAS talk video you can find.) There's claims that Hannaford was PCI complaint. Shouldn't that have made them secure? So lawsuits today are random. With better data, we may be able to better attribute blame. Perhaps this shapes a temporary liability shield, with a goal of revisiting it later, or allowing case law to shape it for a while? Adam _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
-- James Ritchie CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+ Linkedin http://www.linkedin.com/pub/1/b89/433 Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their associated attachments for viruses prior to opening. This message and any accompanying documents are confidential and may contain information covered under the Privacy Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information may result in civil or criminal sanctions. This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly requested to inform us of this and to destroy the message. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml ------=_NextPart_000_0007_01C88ACA.892D3F90 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)"> <!--[if !mso]> <style> v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style> <![endif]--> <title>Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!</title> <style> <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman","serif";} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} p {mso-style-priority:99; mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; font-size:12.0pt; font-family:"Times New Roman","serif";} span.EmailStyle18 {mso-style-type:personal-reply; font-family:"Calibri","sans-serif"; color:#1F497D;} .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.Section1 {page:Section1;} --> </style> <!--[if gte mso 9]><xml> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" /> </o:shapelayout></xml><![endif]--> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>I absolutely agree – securing information is only a = part of privacy laws and principles. A culture of security and privacy = starts with an understanding of the company’s culture, recognition of = privacy and security as a risk, an understanding of applicable laws and = regulations (GLBA, FACTA, FTC Fair Information Practices, etc.), and policy = development that includes both privacy and security policies. Tracy’s = comments below, who, what, when, where, and why, should apply to both processes = (“hands-on”) and technology controls.<o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Technology can support those policies, but it’s = ongoing training and awareness that will truly develop a culture of = privacy. Management and employee performance reviews should include privacy and security = awareness as a key metric, especially in a business process or role that has = access to customers or customer data.<o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Great discussion – <o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Eric Nelson, CIPP<o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>President<o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Secure Privacy Solutions<o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><a = href=3D"http://www.SecurePrivacySolutions.com">www.SecurePrivacySolutions= .com</a><o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <div> <div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt = 0in 0in 0in'> <p class=3DMsoNormal><b><span = style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>= </b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] = <b>On Behalf Of </b>Tracy Blackmore<br> <b>Sent:</b> Thursday, March 20, 2008 2:50 PM<br> <b>To:</b> James Ritchie, CISA, QSA; dataloss () attrition org<br> <b>Subject:</b> Re: [Dataloss] rant: Abandon Ship! Data Loss = Ahoy!<o:p></o:p></span></p> </div> </div> <p class=3DMsoNormal><o:p> </o:p></p> <div id=3DidOWAReplyText52770> <div> <p class=3DMsoNormal><span = style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:black'>Something I haven't seen in this thread = is...</span><o:p></o:p></p> </div> <div> <p class=3DMsoNormal> <o:p></o:p></p> </div> <div> <p class=3DMsoNormal><span = style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>Many companies give either consultants or manufacturers loads of money to = 'secure' them or 'verify' that they are secure. being a consultant myself = I've seen this all too often. This (obviously) does little to actually = secure anything!</span><o:p></o:p></p> </div> <div> <p class=3DMsoNormal> <o:p></o:p></p> </div> <div> <p class=3DMsoNormal><span = style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>To properly secure something companies must create a culture of security - starting with solid policies that are more than pieces of paper that sit = in a book until the auditor needs them.</span><o:p></o:p></p> </div> <div> <p class=3DMsoNormal> <o:p></o:p></p> </div> <div> <p class=3DMsoNormal><span = style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>Only with these policies that define the who, what, when, where, why, and how = can good controls be put into place that support those = policies.</span><o:p></o:p></p> </div> <div> <p class=3DMsoNormal> <o:p></o:p></p> </div> <div> <p class=3DMsoNormal><span = style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>Any old fool can purchase a firewall and put it on the network - but I could = tell you stories of how many I've come across with the old Any/Any rule = because of lack of proper policies.</span><o:p></o:p></p> </div> <div> <p class=3DMsoNormal> <o:p></o:p></p> </div> <div> <p class=3DMsoNormal><span = style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>And then companies like Qualys... I think they offer a great service - but = too many companies think that just because they use that service that they are secure. Qualys does NOTHING but offer information. How a = company uses that information, if at all, is up to the = company!</span><o:p></o:p></p> </div> <div> <p class=3DMsoNormal> <o:p></o:p></p> </div> <div> <p class=3DMsoNormal><span = style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>Me personally? I'd take security out of the hands of the IT = department! Give it to a non-IT CSO who is dedicated to developing that culture of = security with the proper policies to back it up. With that, proper guidance can = be passed on to the IT department to deploy the controls necessary to = support them.</span><o:p></o:p></p> </div> <div> <p class=3DMsoNormal> <o:p></o:p></p> </div> <div> <p class=3DMsoNormal><span = style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>Tracy Blackmore, CISSP</span><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><span = style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>Independent Consultant</span><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><span = style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>T.S. Lad, Inc.</span><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><span = style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'><a href=3D"http://www.tslad.com">www.tslad.com</a></span><o:p></o:p></p> </div> <div> <p class=3DMsoNormal> <o:p></o:p></p> </div> <div> <p class=3DMsoNormal> <o:p></o:p></p> </div> </div> <div> <p class=3DMsoNormal><o:p> </o:p></p> <div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'> <hr size=3D2 width=3D"100%" align=3Dcenter> </div> <p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><b><span = style=3D'font-size:10.0pt; font-family:"Tahoma","sans-serif"'>From:</span></b><span = style=3D'font-size:10.0pt; font-family:"Tahoma","sans-serif"'> dataloss-bounces () attrition org on = behalf of James Ritchie, CISA, QSA<br> <b>Sent:</b> Thu 3/20/2008 1:44 PM<br> <b>To:</b> dataloss () attrition org<br> <b>Subject:</b> Re: [Dataloss] rant: Abandon Ship! Data Loss = Ahoy!</span><o:p></o:p></p> </div> <div> <p><span style=3D'font-size:10.0pt'>Being compliant does not mean being = secure and being secure does not<br> mean being compliant. What most people forget with all the = compliance<br> is that constant vigilance must be maintained. Does that mean = daily,<br> weekly, monthly, quarterly, or annually that you have to verify that = the<br> controls are working appropriately? What I think will be the outcome = is<br> if appropriate due diligence and due care can be shown as fact, the<br> liability will be reduced or eliminated. They will compare the = actions<br> taken and of similar size companies to see if what they had done was<br> appropriate. To make any company 100% secure, the cost of security = would<br> be so prohibited, the company would be bankrupt. There has to be = a<br> balance and reasonable effort shown.<br> <br> Adam Shostack wrote:<br> > On Thu, Mar 20, 2008 at 10:13:08AM -0500, Allan Friedman wrote:<br> > | > On the public policy issue, I agree. If you want = companies to disclose<br> > | > the exact circumstances around a breach (exact = technical details), there<br> > | > will have to be a shield that prevents plaintiffs = attorney's from using<br> > | > the information in lawsuits.<br> > |<br> > | You highlight an interesting trade-off. It may be the case that = more<br> > | disclosure would reduce incentives to prevent future = breaches,<br> > | depending on how we understand the problem.<br> > |<br> > | A standard policy tool for enforcing maximum diligence is the = threat<br> > | of lawsuits, massive ones that can wreck a corporation. If we = follow<br> > | this liability argument (as advanced by Schneier and other = scholars of<br> > | the economics of information security) then making concessions = to<br> > | corporate defendants can impede the end goal of less data = retention<br> > | and greater data protection.<br> > |<br> > | If we don't think we're ever going to get there, then more data = about<br> > | breaches for the purposes of research is clearly the greater = good.<br> > | This is a very interesting dynamic. I'll have to think about how = to<br> > | model it...<br> ><br> > For this policy to be effective, costs must be aligned with a = failure<br> > to take effective measures. Today, we lack the data to asses = how<br> > effective various 'best practices' or standards are. Gene Kim = and<br> > company have done work showing that a few part of COBIT are key, = and<br> > others are not correlated with they outcomes they studied. = (There's a<br> > CERIAS talk video you can find.) There's claims that = Hannaford was<br> > PCI complaint. Shouldn't that have made them secure?<br> ><br> > So lawsuits today are random. With better data, we may be = able to<br> > better attribute blame. Perhaps this shapes a temporary = liability<br> > shield, with a goal of revisiting it later, or allowing case law = to<br> > shape it for a while?<br> ><br> > Adam<br> ><br> > _______________________________________________<br> > Dataloss Mailing List (dataloss () attrition org)<br> > <a = href=3D"http://attrition.org/dataloss">http://attrition.org/dataloss</a><= br> ><br> > Tenable Network Security offers data leakage and compliance = monitoring<br> > solutions for large and small networks. Scan your network and = monitor your<br> > traffic to find the data needing protection before it leaks = out!<br> > <a = href=3D"http://www.tenablesecurity.com/products/compliance.shtml">http://= www.tenablesecurity.com/products/compliance.shtml</a><br> ><br> > <br> <br> --<br> James Ritchie<br> CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, = A+<br> <br> Linkedin <a = href=3D"http://www.linkedin.com/pub/1/b89/433">http://www.linkedin.com/pu= b/1/b89/433</a><br> <br> Attachments with this email, not explicitly referenced, should not be = opened. Always scan your email and their associated attachments for viruses = prior to opening.<br> <br> This message and any accompanying documents are confidential and may = contain information covered under the Privacy Act, 5 USC 552(a), the Health = Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various = implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of = the information may result in civil or criminal sanctions. <br> <br> This e-mail is strictly confidential and intended solely for the = addressee. Should you not be the intended addressee you have no right to any = information contained in this e-mail. If you received this message by mistake you = are kindly requested to inform us of this and to destroy the message.<br> <br> _______________________________________________<br> Dataloss Mailing List (dataloss () attrition org)<br> <a = href=3D"http://attrition.org/dataloss">http://attrition.org/dataloss</a><= br> <br> Tenable Network Security offers data leakage and compliance = monitoring<br> solutions for large and small networks. Scan your network and monitor = your<br> traffic to find the data needing protection before it leaks out!<br> <a = href=3D"http://www.tenablesecurity.com/products/compliance.shtml">http://= www.tenablesecurity.com/products/compliance.shtml</a></span><o:p></o:p></= p> </div> </div> </body> </html> ------=_NextPart_000_0007_01C88ACA.892D3F90-- --===============1734797476== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml --===============1734797476==-- _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Re: rant: Abandon Ship! Data Loss Ahoy!, (continued)
- Re: rant: Abandon Ship! Data Loss Ahoy! Eric Nelson (Mar 20)
- Re: rant: Abandon Ship! Data Loss Ahoy! Kim Zelonis (Mar 19)
- Re: rant: Abandon Ship! Data Loss Ahoy! Jackson, Ben (ITD) (Mar 19)
- Re: rant: Abandon Ship! Data Loss Ahoy! Jamie C. Pole (Mar 19)
- Re: rant: Abandon Ship! Data Loss Ahoy! Sasha Romanosky (Mar 20)
- Re: rant: Abandon Ship! Data Loss Ahoy! macadamiamac (Mar 20)
- Re: rant: Abandon Ship! Data Loss Ahoy! Manny Cho (Mar 20)
- Re: rant: Abandon Ship! Data Loss Ahoy! James Ritchie, CISA, QSA (Mar 20)
- Re: rant: Abandon Ship! Data Loss Ahoy! Al Mac Wheel (Mar 21)
- Re: rant: Abandon Ship! Data Loss Ahoy! James Ritchie, CISA, QSA (Mar 21)
- Re: rant: Abandon Ship! Data Loss Ahoy! macadamiamac (Mar 20)
- Re: rant: Abandon Ship! Data Loss Ahoy! lyger (Mar 22)