zhaol's blog

招商银行缺省为一卡通用户开通大众版网络登录的做法还是着实让我吃了一惊，虽然10/26日刚刚又发布了一个安全公告，http://www.cmbchina.com/personal+business/common/aqts.htm，告诫用户注意网络安全。但是，缺省打开的方式还是会带来巨大的安全风险，不知招行总部信息部门是否已经做过详尽的风险评估，对于网络上面的钓鱼、社会工程、口令猜测等大众版都有非常大的安全缺陷。我个人觉得还是应该缺省关闭，柜台申请再打开。

作为一个提示，招商银行同时提供了专业版，使用证书进行验证，安全性提高不少。最为重要的是，申请了专业版后就可以关闭自己的大众版登录了，避免了恶意猜测等攻击。推荐使用招行一卡通和信用卡的朋友赶快行动一下。不知其它朋友有什么建议？

个人感觉如果采用USB Key或智能卡进行双因素认证就可以解决大部分问题，如果大规模推广成本应该也不会太高。

**匿名评论只有文章作者可以阅读**

有机会和招行IT部的朋友交流时，一定要记着探讨一下这个问题。是不是招行已经成竹在胸了？还是没有充分意识到这个风险，其实只要缺省不开，柜台申请，推荐专业版等措施，就能降低很大的风险。我看招行在反钓鱼宣传方面已经做的不错了，处处都在提示用户注意安全问题，值得称道。

Average data breach costs companies $5 million
Nov 7, 2006
By John Fontana, Network World (US)

Companies spent nearly US$5 million on average, and 30 percent more, this year than in 2005, to recover when corporate data was lost or stolen, according to a new study from the Poneman Institute.

The Ponemon Institute's 2006 Cost of Data Breach Study, which was completed in September, shows that the main culprit for data loss in 49 percent of the cases is a lost or stolen laptop, desktop, PDA or thumb drive. The study looked at 31 companies that have experienced a data breach in the past year.

There have been 254 data-breach incidents this year alone, according to the Privacyrights.org Web site. The study also concluded that companies spend $180,000 after each incident to prevent further data breaches.

In addition, the average cost for each compromised record was up by more than 30 percent over last year, rising from $138 to $182. The average total recovery cost was $140 per lost customer record. According to the study, the increase was fueled by three factors: phone calls for customer notification, free or discounted services and an increase in customer turnover.

Observers note that those costs have nothing to do with IT and suggest that companies need to look across a broader spectrum when factoring costs.

"By not connecting the dots, companies are not seeing the true costs and, therefore, the true value of preventative measures," says Andrew Krcik, vice president of marketing for PGP, one of the sponsors of the survey with Vontu. "He says many companies lack a holistic approach to figuring out costs. "They should be looking at what it costs the company instead of looking at what it costs a particular group, especially IT."

The Poneman Institute is an independent research company focused on issues affecting the implementation of responsible information practices within business and government. The study computed the costs by taking into account such expenses as outlays for detection, escalation, notification and after-the-fact response. The study also took into account direct expenses such as outsourced hot-line support, free credit-monitoring subscriptions, and discounts for future products and services. Indirect costs included in-house investigation and communication, as well as customer turnover.

One interesting finding was that the data theft because of malicious activity by employees accounted for only 6 percent of data breaches. Corporate insiders have long been tagged as major threats when it comes to stolen corporate data.

After stolen laptops, desktops, PDAs or thumb drives, the most common method of data loss was lost or stolen files acquired or used by third parties or outsourcers, put at 29 percent. Lost or stolen electronic backup such as magnetic tapes accounted for 26 percent, and lost or stolen paper records and files accounted for 13 percent of data breaches.

The rest of the list included hacked electronic systems, at 10 percent; malicious insiders, at 6 percent; malicious code, such as malware, spyware or crimeware, at 6 percent; and misplaced network or enterprise storage devices (as a result of a natural disaster, such as a major hurricane), at 3 percent. Of the companies responding to the survey, 6 percent did not disclose how their data breaches occurred.

The study also found that in 32 percent of the data breaches, the CIO or CTO managed the event and the implementation of prevention measures. In 19 percent of the cases, the CISO or CSO dealt with the incident; and a division president or general manager handled the chores in 16 percent of the cases, with a chief privacy officer the leader 6 percent of the time and a compliance officer in 3 percent of the cases. In 29 percent of the cases, respondents reported that more than one person had overall responsibility.

After the breach the top preventive measure taken was the deployment of additional manual procedures and controls 42 percent of the time, training and awareness programs 29 percent, encryption over data in motion 23 percent, encryption over data at rest 16 percent, information leak detection and prevention systems 13 percent, security event management systems 10 percent, additional perimeter controls 10 percent, identity- and access-management systems 6 percent, independent security audits 6 percent, no new procedures or systems 6 percent and encryption over data backups 3 percent. Results add up to more than 100 percent, because respondents could answer in a variety of categories.