There have been many blog postings lately on the value of salting passwords to prevent attackers from discovering the actual password values.  Salting is very effective tool when implemented properly to protect passwords, but the problems are bigger than salting the passwords.  Attackers are able to access the systems where the passwords are stored and once they own the system then they can pretty much do whatever they want to.  Most will take the entire credential database and try to break the encryption/hashing schemes.  In addition to that, a lot of credential stores also include various bits of information about the users that own the passwords.  Encrypting/hashing/salting passwords is not enough and corporations need to go the next step of not only treating these as highly sensitive crown jewels of the company, but putting the controls on these systems to prevent/thwart the attackers/attacks in the first place.

Organizations now have more choices available than ever before when it comes to outsourcing information management and IT resources to third party vendors.  Cloud computing and everything-as-a-service is becoming more popular, and business units in an organization are choosing to conduct more projects with third parties.  In an environment where third party services are seemingly easy to use and quick to deploy, an organization’s liability and risk landscape can increase rapidly and with limited oversight.

Governance of third party vendors, assessment of risk, and remediation of unacceptable risks is critical to protecting an organization’s reputation, business, and customers.  IT Security, Legal, and Finance all play an important role in identifying third party vendor projects involved in accessing and managing an organization’s sensitive data.  IT Security has a responsibility to assess the risk of third party vendor projects and to ensure that the highest risks are addressed.

In a recent court case U.S. v. David Nosal, Judge Alex Kozinski ruled that the Computer Fraud and Abuse Act (CFAA), the nation’s anti-hacking law, applies to people accessing data by circumventing technological access barriers, but it does not extend to employees violating their employer’s restrictions on the use of that information. Under the new interpretation, an employee who has valid credentials to access company data and then misuses that data, however inappropriately, cannot be prosecuted under the CFAA. However, an employee who has valid credentials to access a company computer, but hacks into company data for which he does not have authorization can be prosecuted under CFAA.

The reason for the new interpretation, according to the ruling summary, was that using the CFAA to take action against employees that violate use restrictions could lead to prosecution of millions of Americans for largely harmless activities at work, like Gchatting, using Facebook or playing games.

When news broke that passwords may have been compromised at some very popular web sites, I immediately thought “Where else am I using that same password?” I, like many others, sometimes reuse passwords even though I know better.  The last 48 hours of password leaks should serve as a wake-up call for consumers and businesses alike.

The fact is that, even in the workplace, users are likely to utilize the same password to access any number of personal and business resources. It’s a big problem and businesses can lose millions of dollars if just one employees’ account is compromised, leading to the loss of sensitive corporate data.

So, what are we to do? Rather than dive into salted hashes, see my colleagues post on What’s @ Stake for information on that, for this post I think it’s important to focus on best practices to protect your information.

What makes the healthcare industry such a hot target for hackers? The answer lies in the records that they keep. Medical records contain some of the most valuable personal information — social security numbers, birth and death dates, family information, billing information including credit card data — that allow hackers to gain full reign on a person’s identity and do some major damage. Just like any other business, even in hacking it boils down to the bottom line, and hackers want the most payout for their efforts. Healthcare organizations are the latest gold mine.

Yet, so many organizations are doing a poor job of protecting patient data. According to the Identity Theft Resource Center 2011 Breach Stats Report, 20 percent of all data breaches reported in 2011 were in the healthcare industry; the Privacy Rights Clearinghouse pegged this number at 33 percent in 2011. So, anywhere from one-fifth to one-third of data breaches last year were at healthcare organizations – that’s significant.