The recent spate of security breaches at Citibank, USA and Sony Online Entertainment (SOE), Sony Playstation tells us a lot about the amount of importance organisations put on security. In 2009, There were words that Citibank was robbed and in 2011, there was a breach to over 200,000 USA Citibank card holders in the Citigroup. ZDNet in 2011, "Sony security hole exposes another 24.6 million accounts" tells about how over 100 million users can be affected by failures on security. Maybe Sony Certified Security Professional needs to consider a systems security program for Sony (I am joking).
Other security compromised news (hacked) in 2011
- Vendor-sec email list was compromised and this was a discussion on linux vulnerabilities at openwall.com
- Wordpress.com root access was gained to their servers. Nothing else much on extend of damage to users or blogs at wordpress.com
- Mobile devices like Android could potentially have user data compromised when using public wifi, says University of Ulm, Germany
- International Monetary Fund (IMF), network break-in sounded like it was blamed to the staff use of internet and emails when read in ZDNET.
- Lockheed Martin, provider of defence technology breach in their remote access via use of tokens affected Pentagon.
- GMail major phishing was traced back to China and Google looks geared up for more changes as spear-phishing becomes a term many would see more often.
- In Malaysia, the newly launched 1Malaysia Pengguna Bijak's portal costing RM1.4 million wasn't built with safe guarding the users information at all. Here the only explaination (NO apology to the rakyat) was that the system was not built to cope with the 3 million hits it received within 2 days of its launching. Over 2,000 1Pengguna user account details were confirmed compromised. I took it as a government initiative but the name www.1pengguna.com made me wonder if its a Malaysian government effort or a private business.
Over the years of implementing Linux based solution, there are a few basic things I can share when deploying web applications and other similar systems.
- Put a security policy in place. This includes security administrators reading emails from public who voluntarily lodge about security flaws.
- Budget to implement these policies
- Have security checklists (use it, audit with it)
If disaster happens, you just need to fix it. There are people's "life" at stake. At the same time get those culprits, if you can.