Lawsuits and Data Breaches

  • Comments posted to this topic are about the item Lawsuits and Data Breaches

  • I used to work closely with a security expert who installed an intrusion-detection system. Once it was in place, I was amazed how many attacks we faced, and how some were successful. It was the only way we got to know that they were successful too. It completely changed my way of thinking about security.

    A lot of attacks seem to merely probes to determine weaknesses. Others, if successful, take effective control of the server, but in a way that is generally undetected, and this is only used later. Very few successful attacks result in your customer database being offered on a Russian website. You probably don't know when your network is successfully compromised.

    You have to know about as many attempts at intrusion as possible and your applications and database need to be instrumented well enough to alert you to any possible intrusion. If you don't, then it is like having a castle or fort without any guards.

    Database Security is a boring topic. Security presentations at PASS or SQL Saturday seldom run to packed houses, but it is one of the most important areas of knowledge that a developer and DBA can possess. I recommend Denny Cherry's book as a really good introduction to SQL Server security

    My worst experience? When an employee with a crazy grudge (an affair with another employee) sold his SQL Server login to some bandits when he left the company. I should have changed it before, I know, but security isn't an exciting topic until you get hit.

    Best wishes,
    Phil Factor

  • We should be doing the right things and be seen to be doing them. Except for a possible small number of exceptions, I would hazard a guess that the majority of hackers are either criminals or cyber-vandals. As such I would expect both groups to be more interested in easier targets (no pun intended). Criminals will want to maximise their gains from low risk/low effort activities whilst cyber-vandals are more likely to be interested in high profile results possibly without serious amounts of talent.

    This is the classic scenario of not necessarily being able to make the situation impossible rather than make it difficult to a level that there are easier targets available.

    Also by taking the appropriate steps then stakeholders should attain a level of reasonable confidence. It may also provide evidence that due diligence was performed in a more legal setting.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Phil Factor (2/25/2014)


    ...A lot of attacks seem to merely probes to determine weaknesses. Others, if successful, take effective control of the server, but in a way that is generally undetected, and this is only used later. Very few successful attacks result in your customer database being offered on a Russian website. You probably don't know when your network is successfully compromised...

    Sometimes our systems are just used as a launch pad for other attacks in order to preserve the attackers anonymity and provide an attack vector from a possibly legitimate source.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Gary Varga (2/25/2014)


    Phil Factor (2/25/2014)


    ...A lot of attacks seem to merely probes to determine weaknesses. Others, if successful, take effective control of the server, but in a way that is generally undetected, and this is only used later. Very few successful attacks result in your customer database being offered on a Russian website. You probably don't know when your network is successfully compromised...

    Sometimes our systems are just used as a launch pad for other attacks in order to preserve the attackers anonymity and provide an attack vector from a possibly legitimate source.

    Many websites simply do not have the economic benefit for the hacker. Hack SSC and you get some passwords that are hopefully not used on other sites. Hack Target and you get millions of credit cards.

  • Gary Varga (2/25/2014)


    We should be doing the right things and be seen to be doing them. Except for a possible small number of exceptions, I would hazard a guess that the majority of hackers are either criminals or cyber-vandals. As such I would expect both groups to be more interested in easier targets (no pun intended). Criminals will want to maximise their gains from low risk/low effort activities whilst cyber-vandals are more likely to be interested in high profile results possibly without serious amounts of talent.

    This is the classic scenario of not necessarily being able to make the situation impossible rather than make it difficult to a level that there are easier targets available.

    Also by taking the appropriate steps then stakeholders should attain a level of reasonable confidence. It may also provide evidence that due diligence was performed in a more legal setting.

    It does not appear that Target was that easy. They did not hit Target directly, they hit the third party card readers, gaining access through another third party (HVAC system maintenance). They used a RAM scraper to grab info during the short time while it was not (could not be) encrypted.

    The point I see from this is that there are, and will ALWAYS be attack points that are outside of your control. To paraphrase the old STD public health warnings, it's not just your vendors and customers to worry about, but all of their vendors and customers as well.

    I find it absurd, though, that the government is threatening more legal sanctions for security leaks when they can't even keep their own house in order (NSA anyone?)

    ...

    -- FORTRAN manual for Xerox Computers --

  • I use to work for a company that was in the health care business. We had databases full of PII (Name, Address, SSN, DOB, Insurance Membership, etc.) and none of it was encrypted. It was also copied from PROD to QA to DEV and sent overseas to our India office.

    I complained loud and long about how dangerous this was and how we need to secure this data. Finally the Directory of Security for my company called me into his office and basically read me the riot act and told me I need to shut up. They were aware of the issues and were working on them and that if the clients found out about this, we could lose business.

    I started looking for a new position that afternoon. I still have friends who work there and now, almost 16 months later, nothing has changed.

    And from what I understand from other friends, this is more the norm than the exception.

    It blows my mind!

  • Steve Jones wrote:

    We, and the businesses that employ us, should be incorporating analytics into our defenses to detect abnormal actions ...

    Which seems to be what products from cyber security vendors like Aorato do.

    [Disclaimer: I'm not associated with Aorato in any way. I did try getting our data security officer interested in Aorato's software, but he just sniffed and went about his business. Maybe he'll pay more attention when some big data breach happens here.]

  • In theory in the UK the data protection registra can send the CEO of a company in breach of legislation to prison.

    Having data without security is like driving without insurance.

    You have to consider all of the following and more:-

    • Encrypting data in the database
    • Encrypting data in the backups
    • Data security in electronic transport. SSL certificates etc
    • What machines are allowed to talk to a DB server and if possible what processes
    • Data security in transport. Physical media, backup tapes, DVDs, USB
    • Separation of data with different security concerns
    • RACI matrix for who has access to what and at what level
    • RACI matrix for who has authority to specify access and to grant it
    • How security is monitored/audited
    • What business processes are in place for security breaches. This has to include escalating up the chain of command.
    • Business process for handling requests under the Freedom of Information Act or ICO requests
    • ...etc

    In short there is a lot to think about with regard to security and as said earlier its not just doing it, its being seen to do it.

  • At a recent client's (I do not want to identify them as this story is specific but I find it generally applicable) the development team were forced to update configuration files with security information (credentials etc.) of the production systems. This place, like many, totally understood that giving the developers of software details of the production environment was not a good practice and was against their own security rules (the term "in breach" was used). The team whose responsibility it was to deploy and configure software in all non-development environments refused to take up the configuration of a new system. The claim was that they did not have time to learn how to do it. It eventually got into production and the development team was still being emailed server names, security principal credentials, etc. I raised the concern that, although the individuals being given the details were completely trustworthy, a key security principle was being deliberately ignored.

    I think that it will take at least one high profile case where senior members of staff are actually held to account by a court of law (instead of it being an empty threat) for any cultural change to occur. I think we need an Enron moment; we have the equivalent of Sarbanes-Oxley (regulation) but what we don't have is a precedent of punishment for non-compliance.

    Don't get me wrong; I do not want to see people go to jail but I do want well known best practices applied and the employment of them actively supported by the appropriate management.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Don't get me wrong; I do not want to see people go to jail but I do want well known best practices applied and the employment of them actively supported by the appropriate management.

    Gary, you mentioned earlier in your post we need an 'Enron moment' - and Enron execs were in fact sentenced to jail.

    Human nature being what it is, and execs being what they often are (both arrogant and ignorant), I have no problem seeing some people being made an example for their misdeeds.

  • Craig-315134 (2/26/2014)


    Don't get me wrong; I do not want to see people go to jail but I do want well known best practices applied and the employment of them actively supported by the appropriate management.

    Gary, you mentioned earlier in your post we need an 'Enron moment' - and Enron execs were in fact sentenced to jail.

    Human nature being what it is, and execs being what they often are (both arrogant and ignorant), I have no problem seeing some people being made an example for their misdeeds.

    I guess my point is that I don't want to see people sent to jail as I'd rather that they understood the need to change first but I believe that it would take people being sent to jail for certain people to accept that things do need to change.

    Of course, although those people change their behaviour it is still not for the right reasons :'-(

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • ... I believe that it would take people being sent to jail for certain people to accept that things do need to change.

    Of course, although those people change their behaviour it is still not for the right reasons :'-(

    If men were angels, no government would be necessary.

    -- Federalist no 51

Viewing 13 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic. Login to reply