Do you need an attack plan? I am not sure EBay had one recently. They had intrusion into their database containing user information. They are trying to play down the impact of the breech by saying you only need to change your password. This is something you should do anyway.
However, they say your user name, password, name, email addresses, physical address, phone number and date of birth were the only things compromised; no financial information was taken. I have a few thoughts about the whole thing.
The intrusion occurred more than two months ago and was only detected in the last two weeks. How was it detected and why did it take so long.
- What makes them think this is not viable financial information. The only thing missing is a social security number?
- At least the passwords were stored in an encrypted form. Is that the only thing that should be encrypted? Why not encrypt the birthdate as well?
- Are we doing any better?
The point is clear; if you don’t have an intrusion plan for when it happens to you, you should begin working on it. Intrusions do happen. You need a way to mitigate against it, a way to identify when it occurs, a plan to keep the light on while blocking intrusion, and a way to make the intrusion known protecting your customers.
Am I being paranoid or alarmist? Is this really something you should be concerned about? Set me straight by leaving your comments here online, or drop an email to btaylor@sswug.org to share with others.
Cheers,
Ben