During the talk there was a fair amount on discussion and comments from the audience. We were pretty harsh and quick to judge the security, or lack thereof, practices of the organizations who suffered the breach. While these folks may deserve the criticism one thing that we all probably didn't think hard about is the fact that they are just like many of us in that they are overworked having too much security work that needs done and not enough time or money to complete it.
That said, the common cause of these breaches appears to be the lack of focus and execution of some basic security measures. We all need to heed the lessons from these breaches and DO THE BASICS:
- Egress Filtering Rules. Keep that data from escaping your network.
- Practice the "need to know" principle in access control. Why do they have access to that data when they don't need it for their job?
- Monitoring of Access. Who's watching the logs showing when someone used their access?
- Monitoring Outbound Activity Initiated by Servers. Why is that server FTPing out to an IP on the Internet when it normally doesn't?
- Tighter Access Control on Servers
- PCI Certified != You're Secure
- Encrypt the Backup Tapes. Okay, this might be a little more than basic but c'mon - most backup software can do this.