Like this infographic? Get more copywriting tips from Copyblogger.

By John Leyden • Get more from this author

Posted in Enterprise Security, 11th April 2012 15:26 GMT

Interesting (understatement) that a malware laden compact flash card can get shipped out with a product from a respected and revered company such that HP is. I find myself shocked for the most part, but then somehow it seems par for the course. The question still remains, how the hell did the malware get on the card – let alone thinking – did you check the cards before deploying them?

It’s almost inconceivable to think that something like this could happen, but then take a glance into supply chain operations. Are those sourcing the technology armed with enough information to understand the risk? Are those that are deploying the project plan asking the right people the right questions?

It seems no matter which angle you take, there is propensity for issues, and I hazard a guess that the angle is always going to be skewed where people are involved. That’s not slighting people, it’s more the knowledge angle. I’ll use the phrase “you don’t know what you don’t know”.

Example: Information Security Awareness Training: one weak link in securing an environment is people. So, Joe Bloggs, when was the last time you upgraded the firmware on your home router, or updated and scanned your home system? You get a blank look! That’s the point – they don’t know that connecting to your environment through the SSL VPN is a huge risk.

Back to the point – it falls back on us to make sure we ‘sanitize’ all and every piece of media or hardware (etc) that comes into our environment, exactly to negate issues such as this, and that’s just the starting point.

Can you see how big the problem is yet?

The reason I’m raising interest is it is stated that a Central American gang successfully answered the knowledge based authentication questions correctly, then took over an under protected admin account.

The fact that someone can do that is ‘out there’. Were the questions easy, or something? I don’t know the facts but doesn’t that then call into question this method of authentication? (the article calls out that point also).

I wonder what the ramifications of this will be in the PCI world. We all know using multiple layers of authentication is best, but I’d love to hear how the knowledge based answers were found.

Here’s the link to the article again. http://blog.gartner.com

It seems this is prompting the government to attempt to clamp down on security for third parties that hold such data on behalf of the government. I wonder why it took so long to ask that question. One would have thought it would be a natural thought process, no? Or maybe there’s some posturing in an effort to support the bill …hmm.

Any who, it makes for somewhat interesting reading. In case you missed the links above, it’s HERE.

The article detracts from the fact that they were hacked, period. Regardless of whether customer data or credit card data was taken, they were vulnerable enough to be hacked. Does that give the customers a vote of confidence that they are secure?

Was that last statement a little harsh? Depends on which side of the fence you are looking. I see it as a good thing that the attackers didn’t get further, but I can’t help but think that it was a starting point. We all know it only takes one person inside the company to make us vulnerable, and that chances are it isn’t malicious, but that the vulnerability that person unwittingly creates allows the hack to occur.

Was a patching / maintenance window pushed for some reason or other? Or – were bad practices involved? We don’t know the answers, we just see the headline “Zappos Hacked”. The hackers got to the last four digits of credit card numbers – perhaps that is a staged database used for testing? Again, who knows right?

You have to wonder where the fine line is for giving out information about being hacked. Not the method, just what, when etc. Since the damage is done, how do you negate that and recover?

I’m guessing there’s a lot of work going on in Zappos right now – forensics – rebuilding – double checking. It’s sad, since they have done so well up to now. How bad is the fallout going to be? I’m keeping an eye out but my thought is they will recover, since their reputation has always been good and valued.