Dairy Queen Breached?

Forbes reported this week on "The Top 5 Information Security Breaches No One is Talking About". It was interesting to me to hear about the different, very large, companies and organizations that had been breached but that the major news organizations did not report widely on. This makes me wonder: where is the corporate responsibility in regards to reporting breaches, or ensuring that consumers are aware that they may be impacted? I know that I have gone to Dairy Queen several times this summer and I never received any type of notice that I might be impacted. When Target was breached, I hadn't shopped there in months and I received a new debit card any way. Are there laws that dictate when consumers must be informed of breaches?? I will look in to this more....

Healthcare.gov Security Risks

An independent panel reported that there are more than 20 security flaws on the government run website healthcare.gov. This panel advised that the government took huge risks by going live when it did by not being fully tested, as well as failing to provide consistent maintenance on the site (i.e. patches). This is particularly concerning to me as this site has full record of millions of American's personal data; income and Social Security number included. Without getting in to the politics that surround this initiative, I think it certainly is in the governments best interest to ensure all patching is up to date and the data they collect is as secure as it reasonably can be; it does not appear that they have done a very good job so far. Should this be a surprise considering the amount of data that Snowden was able to walk out with? Perhaps not.

Home Depot Breached

Home Depot reported this week that their systems had been breached, potentially by the same malware which impacted Target last year. The period of time spanned from April of this year until last week, and there may be over 60 million customers impacted. My question to Home Depot (as well as to other retailers), is why was this malware not found sooner? Is it not a known vulnerability that you should have protected your systems against? It is beyond my comprehension to think that the same attack could be used again after Targets staggering losses were reported. In my opinion, any CISO or equivalent entity would have taken steps to plug that gap. I should withhold further judgement until all details are known and confirmed; but I will take this as a point that we should learn from other's mistakes, as well as always keep patches up to date. *Edit It has since been reported that different malware was used in the Home Depot attack http://www.csoonline.com/article/2606380/data-protection/researcher-disputes-report-blackpos-used-in-home-depot-target-attacks.html

Linux Vulnerabilities

An article caught my eye this week, titled "Linux systems infiltrated and controlled in a DDoS botnet". The reason this caught my attention is that I usually think of Linux as being a safe OS. I don't know where I got this impression, but this article reminded me why it is important to stay up to date with security patches on all operating systems. Where ever there is a potential vulnerability it is in our best interest to keep our organization's front lines of defense up to date. Leaving unpatched or out of date servers on the network is a risky business; if it is meant to be retired, unplug it! No sense in being a tool for someone else's malicious attack.