LookSee data leak

ToxicBunny said:
Twats...

So how about contacting the people whose data was compromised so you can warn them to be vigilant ffs rather than some random blanket statement.
I have no idea what data Lightstone has in relation to me, and I'm not an SB client...
Click to expand...
If you bought a property somewhere in the near past they probably have whatever they put on those reports they sell to prospective buyers and estate agents.
 
I've never quite understood why the "leak" of this sort of info is regarded as a problem. It's all publicly accessible information anyway.
 
RonSwanson said:
Can you expand on these two statements? Examples?
Click to expand...

Earlier today I typed a response, but decided not to post it as it entailed personal experiences. To shorten it, no two people solve a problem in the same manner, even when guided by best practices. All companies, and people, have a methodologically going about their practice.

You can enlighten stakeholders on which security standards are being applied, and you need to be transparent about risk exposure, but you can't allow them into how it's all operable. You want to limit the attack vectors as good as possible, governed by best practices.

No, no examples. I do, however, have many case studies at my disposal used to design policy.
 
Fulcrum29 said:
Earlier today I typed a response, but decided not to post it as it entailed personal experiences. To shorten it, no two people solve a problem in the same manner, even when guided by best practices. All companies, and people, have a methodologically going about their practice.

You can enlighten stakeholders on which security standards are being applied, and you need to be transparent about risk exposure, but you can't allow them into how it's all operable. You want to limit the attack vectors as good as possible, governed by best practices.

No, no examples. I do, however, have many case studies at my disposal used to design policy.
Click to expand...
Thank you, I think that I am starting to understand your thoughts.

On standards, I am not entirely in disagreement with what you are saying, because it may hold true for some unique situations, particularly where you have highly gifted and exceptionally intelligent people working on the problem, and possibly a large budget (but the opposite may also be true ;) ). And because no-one is an expert on everything, it needs larger that usual teams with more diversity in specialisations, and the problems that come with it, like managing "prima donnas" and eccentrics.

The obvious issue is that it makes security immeasurable, and the people responsible for it even less so. It mystifies the work that is done by security teams, turns security into a black art and dependent on very specific people and skills. It can't scale, and one struggles to mitigate all risks (there are many threat vectors) because it requires many experts and specialists.

Enter standards and certification. It attempts to provide stakeholders with assurances that all most bases are reasonably adequately covered, but in actual fact the process is flawed because it is based on risk, which in itself is a black art. And, as you have pointed out, smart auditees never allow the ISO / PCI / SOC-1/2 auditors to come even close to the actual controls, and the auditors are none the wiser.

And yes, I have also deleted and purposefully left out some of my own experiences :cool:
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X