But other customers were willing to cut Guidance some slack, given the nature of a network breach. Mitch Dembin, an assistant U.S. attorney and cybercrime coordinator for the Southern District of California, as well as a one-time customer of Guidance, said that he could understand the snail-mail notification approach, given that a company in Guidances position might not even be sure that its systems would be secure enough to send e-mail without further compromise of sensitive data. "Recognizing your system has been compromised, are you comfortable using e-mail to contact customers?" he said. "With mail, youre avoiding the possibility of electronic compromise. Although its recognized as significantly more expensive for companies to use the mail, to do so, I think, is to ensure the customer gets the notice, which you cant ensure through e-mail. Particularly since your system has suffered at least one known compromise."Retention of credit card data is another problem entirely, Dembin saidone thats arisen after credit card systems had already come online. For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub. "When we first started taking credit card information online, I dont think these concerns existed," he said. "These concerns have become far more significant now, and card companies have combined to require that vendors only keep certain information a certain amount of time. But again, thats an adjustment [you have to make] to the software. It seems to me the kind of thing that if it was easy, everybody would do it. It might require tweaks, updates or changes that companies are planning for but they hope to get to before [disaster strikes]." In the meantime, users like Garza arent planning to stop using Guidance software, which he called "probably the most widely used computer forensic software in the Windows environment." Hell just be more careful next time he goes back for training or software, he said. "Ill pay with check, not by credit card," he said. Check out eWEEK.coms for the latest database news, reviews and analysis.
The lessons the breach teaches are already well-known, Dembin said, given that in this day and age, everybody knows the value of encrypting the database. That doesnt make encryption a straight-forward choice, however. "There are some difficulties, including cost, in encrypting database information, particularly when its a live database," he said. "Its not so simple as saying, Encrypt it. If you need the data quickly, if the data is active, theres going to be a performance hit. Its just not so easy. If it was so easy to do, yes, by now everyone would have a solution in place and be doing it."