For example, the Payment Card Industry (PCI) standard requires the protection of stored cardholder data, and restricting access to cardholder data by business need-to-know. SOX mandates that corporate management take responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting. In other words, if you are staff are able to have unauthorized access to sensitive data once they have access to a privileged password then you’re only addressing half the problem.
That two major companies have made headlines is more an indication of the overall state of data security within organizations. No one would deny that both organisations have the means to deploy the best technology, the problem I would suggest is that they both appear to have placed to much trust in the integrity of staff, and where overly dependent on staff carrying out their responsibilities effectively. Despite the fact that the buck stops at the top, the first people who should come under serious scrutiny are the senior security staff whose job it is to ensure that these incidents do not happen.
Passwords – Protecting the Key
Passwords remain the primary key used to unlock access to business-technology systems. Passwords need to have limited use-life. System-level passwords, such as those used to gain access to networking equipment and server/application administration need to be changed regularly, and in some cases should be “one-time-only”. All privileged or “super” user passwords should be centrally maintained and managed. Basic employee passwords used to access business applications, computers, e-mail accounts etc., should be similarly recycled regularly. Despite widespread knowledge of sound password policy, many organizations still fail to adequately create, manage, and retire their usernames and passwords effectively.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.