Zappos.com attack: Fallout and Feedback

Zappos.com -- an online source for shoes -- suffered an attack that compromised account information for millions of customers and made the company another unfortunate statistic.

Some security sources have kindly offered me some perspective:

This, from Mark Bower, data protection expert and VP at Voltage Security: “The good news is that it looks like Zappos credit card information was encrypted or not stored in a way that hackers could use. So this is proof that protection can help with safeguarding customer data in the event hackers get their hands on it. More merchants should be taking these kinds of measures.”

This, from Alan Hall, security expert and director at Solera Networks: “Without full visibility of the entire attack, organizations can only guess or assume that all records were taken and then address their response to the full extent of possible damage -- 24M in this case. An appropriate response includes more detail of ‘how did they get in, where did they go and what was accessed, seen, and removed from the network?’ Until you have a complete record with full packet-level detail and the ability to reconstruct every artifact, your response is slow and fraught with guesswork, assumptions and misdirected resources. Organization should pinpoint the response to the exact scene of the crime with full evidence.”

One more, from Tomer Teller, security researcher and evangelist at Check Point Software Technologies: “Though not as serious as compromising customer payment information, hackers can use stolen customer data like this to attempt similar data thefts. Having enough information about a person can make it easier to attack other sites. It’s troublesome, considering how many other web services can be put in jeopardy by a single incident like this. Even so, Zappos should be commended for alerting their customers in a timely fashion.”

The best feedback I've gotten thus far comes from Teller, who offered these tips for victims and those who want to avoid being victims in the future:

Top 6 Data Loss Prevention Tips

1. Understand Your Organization's Data Security Needs - Have a clear view and record of the types of sensitive data that exist within the organization, as well as which types of data are subject to government or industry-related compliance standards.

2. Classify Sensitive Data - Begin by creating a list of sensitive data types in the organization and designating the level of sensitivity. Consider establishing a set of document templates to classify data by Public, Restricted or Highly Confidential - creating more end user awareness about corporate policies and what constitutes sensitive information.

3. Align Security Policies with Business Needs - An organization's security strategy should protect the company's information assets, without inhibiting the end user. Start by defining company policies in simple business terms that are aligned with individual employee, group or organization's business needs. Identity awareness solutions can provide companies with more visibility of their users and IT environment, in order to better enforce corporate policy.

4. Secure Data Throughout Its Lifecycle - Businesses should consider implementing data security solutions that secure their sensitive data in multiple forms - correlating users, data types and processes - and protect it throughout its lifecycle: data-at-rest, data-in-motion, and data-in-use.

5. Eliminate the Compliance Burden - Evaluate government and industry-driven compliance mandates and how they impact an organization's security and business flow. Consider implementing solutions with best practice policies customized to meet specific regulations, including HIPAA, PCI DSS and Sarbanes Oxley, for fast prevention on day one. Best practice policies also enable IT teams to focus on proactively protecting data beyond what's required.

6. Emphasize User Awareness and Engagement - Involve the user in the security decision process. Technology can help educate users about corporate policies and empower them to remediate security incidents in real-time. Combining technology and user awareness sensitizes employees to risky behavior through self-learning techniques.

--Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO's Daily Dashboard gives you a

Related:

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful cybersecurity companies