BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Top 5 Data Breach Excuses Of 2011 (And What They Really Mean): Part 5

Posted January 9, 2012    Peter McCalister

DON’T COMMENT AT ALL – EVEN WHEN A GOVERNMENT WATCHDOG OUTS YOUR POOR PRACTICE MUCH LATER – Numerous UK Local Authorities up to Nov 2011

This strategy is used by organisations who know that trying to make an excuse for such widespread poor practice is like pouring petrol on a fire. Best to keep quiet and hope it all goes away.

As reported in the UK’s Guardian newspaper in November 2011, of 1,035 breaches which happened at UK Local government authories over 3 years up to 2011, only 55 were reported to the Information Commissioner’s Office (ICO). Quite understandable when you consider the glaring poor practice involved in some of them. It’s not just the loss of physical storage devices which was obviously embarrassing, but the downright incompentent such as the Buckinghamshire CC employee who accidentally sent about 2,000 email addresses to the public, or the ccanned case notes relating to children which were published on Facebook by an employee at Kent council.

BeyondTrust says: Mitigating against insider threat is not just about protecting data assets from employees with malicious intent, but also against unintentional and accidental harm. This is best achieved with the fine grained management of privileges, by establishing boundaries which permit employees to do their job well, and nothing more, as opposed to building walls which require them to request support from IT Admin, everytime they want to go to the bathroom.

Leave a Reply

Additional articles

How To Implement The Australian Signals Directorate’s Top 4 Strategies

Posted October 20, 2014    Morey Haber

The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate, has developed a list of strategies to mitigate targeted cyber intrusions. The recommended strategies were developed through ASD’s extensive experience in operational cyber security, including responding to serious security intrusions and performing vulnerability assessments and penetration testing for Australian government agencies. These recommendations…

Tags:
, , , ,
asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,