BreachExchange mailing list archives
Re: Firms play Data Protection roulette
From: George Toft <george () myitaz com>
Date: Mon, 10 Jul 2006 05:31:47 -0700
If the client is really serious about this effort, I think it is much better than using real data. I suggest scrambling the credit card info (SSN's as well) unless there is some aspect of the application that does a validity check on the value. For CC numbers, if the CC processor returned an authorization code at the time of sale, it must be valid, so I see no reason to maintain that number intact. I also recommend they make someone personally accountable for any real data stored outside of the prod environment. Without accountability, the rules won't be followed, and you'll find real data stored on machines without adequate security... My thoughts :) George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. Peter Wood wrote:
We discussed recently the matter of real data in a test environment with a client. Frequently, when conducting an internal penetration test, we find copies of real data on development machines unprotected by passwords or encryption. Rather than try to insist that developers protect this real data properly, which is never going to happen, we suggested the following: (1) replace all name fields with alpha garbage (of the correct field lengths) so as to depersonalise the data (2) randomly swap fields such as city, zip code, credit card number etc. so that any given row of data is useless to a thief but still valid per range checks etc. Any views on this idea? Pete At 08:10 09/07/2006 -0700, George Toft wrote: >I think we should make a distinction between live data and real data. > >Some companies make copies of their live data and put it in their >development environment(s) for development and testing. It's not live >data, but it is certainly real. > >There are many benefits to using a copy of live data, but in today's >reality, I think the risk to the business is too great to endorse this >activity. I think it also might violate the spirit of "separation of >duty" that most companies implement to keep developers out of production >systems. > >Regards, > >George Toft, CISSP, MSIS >My IT Department >www.myITaz.com >480-544-1067 -------------------------------------------------------------------- Peter Wood FBCS CITP MIEEE MIMIS CISSP Chief of Operations First Base Technologies Office: +44 (0)1273 454525 Mobile: +44 (0)7774 239915 www.fbtechies.co.uk www.white-hats.co.uk _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
Current thread:
- Firms play Data Protection roulette lyger (Jul 08)
- Re: Firms play Data Protection roulette Al Mac (Jul 08)
- Re: Firms play Data Protection roulette Saundra Kae Rubel (Jul 08)
- Re: Firms play Data Protection roulette Adam Shostack (Jul 08)
- Re: Firms play Data Protection roulette George Toft (Jul 09)
- Re: Firms play Data Protection roulette Peter Wood (Jul 10)
- Re: Firms play Data Protection roulette George Toft (Jul 10)
- Re: Firms play Data Protection roulette Saundra Kae Rubel (Jul 10)
- Re: Firms play Data Protection roulette Al Mac (Jul 08)
- Re: Firms play Data Protection roulette Chris Walsh (Jul 09)
- <Possible follow-ups>
- Re: Firms play Data Protection roulette Al Mac (Jul 10)