BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

In data-heavy economy, breaches likely

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 6 Feb 2014 19:05:26 -0700
http://au.finance.yahoo.com/news/data-heavy-economy-breaches-likely-010102183.html

Target. Neiman Marcus. And now three other national retailers (yet to be
named) have reportedly lost customers' personal data.

The Target breach alone compromised the data of as many as 110 million
Americans - roughly one of every three people in the country.

The recent cascade of scams is an unwanted manifestation of the technology
we carry in our pockets, the business we conduct online and the
ever-growing array of devices, merchants, service providers and agencies we
entrust with pieces of our identity.

Think of how often you swipe your card at the counter, fill out an online
form, or even enter your user name and password into a website. Every time,
you're sharing information that thieves are itching to get their hands on.

In 2012, the latest year for which widely accepted statistics are
available, 621 confirmed data breaches compromised 44 million individual
records. That's according to Verizon's annual Data Breach Investigation
Report, considered by many to be the definitive measure of data intrusions
in the industry.

Even that is not a comprehensive figure: It's limited by the number of
organisations that participate, a roster that includes outfits as diverse
as Deloitte and the US Department of Homeland Security.

Because the number of participants changes constantly, it's also impossible
to compare year-over-year stats. Thus, there's no way to confirm the
widespread perception that the number of breaches is growing.

But other firms that tally breaches put the number even higher.

Among veterans of the information security wars, it's widely assumed that
"100 per cent" of Fortune 500 companies have been hacked at some point,
said Robert Lee, a security business partner at Intuit.

Even scarier: "It's very difficult to get a hacker out of your environment
once they have a foothold," Lee said.

The beauty of being a hacker is that you only have to exploit one weakness.
The problem of being in IT is that you have to protect against all
potential attacks. And the points of attack just keep growing as more of
our lives occur in cyberspace.

You can think about firewalls - the primary tool companies use to safeguard
data - as a series of concentric circles. At each circle, a checkpoint
looks at incoming information and assesses if it's OK, or not OK, to let it
through.

But no matter how many checkpoints a system has, there's a vulnerability
they're blind to.

"Think of them as outward-facing," said CEB TowerGroup research director
Jason Malo. "You are standing on the wall, (trying to repel) someone (who)
wants to come inside the castle."

The problem is, every system is hackable, and because the defences are
outward-facing, a thief who sneaks in can often harvest data undetected for
months or even years. Breaches usually go unnoticed for six to 13 months,
giving malware ample time to do what it was designed to do, steal customer
or company information, said Jake Kouns, chief information security officer
for Risk Based Security, which runs the DataLossDB project.

"Once an attacker is inside the network, it's 'game over,' " said Adam
Ghetti. He's the founder of Atlanta-based Ionic Security, which provides
encryption services to banks, hospitals and other companies.

"The centralisation of assets has been a protection method for centuries,"
said Ken Baylor, a research vice president at the information security
research and advisory company NSS Labs. "Banks secured their data in
vaults. Companies now centralise them in databases.

"At least with a vault, banks knew when they had been robbed," Baylor said.
"With databases, a copy can be created in seconds and the company is
unaware that millions of its customers have been put at severe risk."

Retailers, in particular, aren't properly protecting their in-house
databases, Ghetti said.

"Retail enterprises continue to invest in, and lean heavily on, perimetre
security technologies," he said in an email.

It's not as if IT folks can't come up with solutions. But businesses are
caught in a tug of war between risk and reward, said Lee.

"Businesses are transferring risk to users, with the reward of higher
profits for themselves," he said. "We know how to solve these problems;
some companies choose not to."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: