maravis.com

One of the things that I have noticed is that a lot of companies use production data for testing. They usually justify this by saying that some use cases can only be reproduced by using production data. PCI-DSS requires that production data is scrubbed or sanitized before being used for testing purposes. The Ponemon Institute has come out with some interesting (and scary) data on data security during development and testing.

Almost every regulation and standard has logging requirements. This requirement is there to ensure that there is data that can show attacks and breaches. But there have been numerous breaches in which the the breach happened over a period of time and they were not discovered for a long time after.

The traditional mode of gathering credentials has been phishing attacks sent through email. But this method has been superseded by more effective social engineering attacks. I recently came across an article that described attacks using social networking sites such as MySpace and Facebook.