The consumer protection pros at the Federal Trade Commission (FTC) have been on high alert over the last decade for breach events that threaten consumer privacy due to the negligence of businesses. While the FTC is typically charged with taking errant businesses to task for their shoddy security practices, their leadership says it would much rather have businesses learn their lesson preemptively, rather than at the hands of the agency's lawyers and settlement mediators. This summer, the FTC unveiled a new education program it calls Start with Security, which offers common-sense tips for businesses who'd rather not be on the wrong end of FTC action and bad publicity.
The initiative includes a comprehensive guide with lessons learned from the 53 data security settlement cases the FTC has brought to bear, along with a pair of conferences to be held in San Francisco and Austin this fall.
Overall, the guide provides 10 major best practices, for developers and startups in particular, to keep in mind:
1. Start with security.
2. Control access to data sensibly.
3. Require secure passwords and authentication.
4. Store sensitive personal information securely and protect it during transmission.
5. Segment your network and monitor who’s trying to get in and out.
6. Secure remote access to your network.
7. Apply sound security practices when developing new products.
8. Make sure your service providers implement reasonable security measures.
9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
10. Secure paper, physical media, and devices.
In particular, guidance number six homes in on endpoint security, urging businesses to ensure endpoint security to solidify secure remote access to the network.
"Just as a chain is only as strong as its weakest link, your network security is only as strong as the weakest security on a computer with remote access to it
According to the FTC, three cases in particular drive this lesson home.
Lesson #1: Lifelock
In spite of the fact that Lifelock specializes in protecting consumers' identities, the company was forced to settle with the FTC in 2010 for $12 million and decades of auditing because the firm failed to enact even basic measures of installing antivirus on the computers employees used to remotely access its network.
Now the company is in some serious hot water as this week the FTC says Lifelock still hasn't cleaned up its act and has violated its settlement agreement by failing to establish and maintain an infosec program. The company's stock went down by 49 percent at the news of this announcement.
Lesson #2: Settlement One
Focused on reselling credit reports, this company and its parent company makes its stock and trade in sensitive consumer data. The FTC called for accountability after its poor infosec practices allowed attackers to access over 1,800 credit reports. According to the FTC, " the business allowed clients that didn’t have basic security measures, like firewalls and updated antivirus software, to access consumer reports through its online portal." The company settled with the FTC in 2011, in an agreement that will put it under intense audit scrutiny by the agency for 20 years.
Lesson #3: Premier Capital Lending
This Texas-based mortgage lender came under the eye of FTC regulators when an attacker was able to break into a third-party home seller to use a privileged account "for accessing credit reports in order to refer purchasers for financing without taking reasonable steps to verify the seller’s procedures to handle, store, or dispose of sensitive personal information." As a result, an attacker that broke into the seller's computer leveraged those credentials to steal 400 credit reports through Premier's systems.
These three cases are just a few among dozens more that the FTC has successfully negotiated over the years. Many of them are detailed within the Start with Security guide, which clearly had plenty of real-world basis for its advice. While the tips presented might seem obvious, these cases make it clear that these problems are persistent and commonplace.