Have You Been Hacked?

  • Comments posted to this topic are about the item Have You Been Hacked?

  • I think that when looking at industry in general we can see what can work and what doesn't. Following the deliberate actions at Enron etc., Sarbanes-Oxley (SOX) has ensured that it is harder to manipulate the accounts. Although still possible, it made it harder for it do be done accidentally or "innocently". In many companies, due to the responsibility lying with senior management this has been implemented.

    If senior management were held accountable to data loss/theft then they would be prepared to do two things; firstly invest in security and secondly delegate responsibility (as opposed to deny responsibility). This in turn would lead to trickle down to DBAs and devs both from the point of view of responsibility but also permission to advise and act.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • People will need to have pre employment background and drug tests done more often.

  • Robert.Sterbal (10/30/2014)


    People will need to have pre employment background and drug tests done more often.

    Background checks: yes.

    Drugs checks: why?

    I know that when applying for a UK government position (be it temporary or permanent) that they do a check for various things to ensure that you are a low blackmail risk e.g. searching for evidence of financial problems (including gambling), substance abuse (legal or illegal), criminality etc.

    Luckily for me, if I had any noteworthy habits or pastimes then I have left them all in with my youth. And regardless of whether I had any or not , I have not picked up any as I got older. All of my oddities and pastimes fit into the category of ordinary (but not necessarily "normal" 😉 ).

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • If a company is hacked that I use for credit stealing just 10 identities and I am one of those stolen then I would be pretty sure I'm in trouble. If on the other hand I am just one of 10 million then I'm not so scared. I have a lot less chance of them picking out my account to mess with.

  • The impression I get is that most of these hacks targeting big retailers are actually not database penetrations. Malware gets installed on the Point Of Sale terminals, which then skims data from credit card transactions. There are also cases where hackers sniff unencrypted wifi network traffic from POS terminals. Corporate headquarters can lock down their database servers, but sensitive data originates at 100s of local retail outlets which perhaps arn't following the corporation's own security policies when it comes to how the computer equipment is configured or used. I mean, how does malware end up on a POS terminal? Are employees browsing the web on their POS in between customers?

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • To my eyes it's an old debate yet nothing has changed much since.

    It often gets down to "it depends".

    1- Blaming a company for an individual act is no good

    2- The opposite stand as well, blaming an individual for a company act / decision is not better.

    However when talking about responsibilities, people seems to get a narrow vision of what's occurring in general when the issue is much more global.

    As of now I do not have a one size fit all solution nor something that comes close to that.

    But I would take a chance and say "The price is not yet enough to enforce good practices". In others words, chance that something will not happen vs amount of money to cover it if it does.

    1- For individuals, it does mean being fire and it's has heavies consequences short, medium and long term, so I feel there's much less chance that this scenario occurs (still it does)

    2- For a company point of view, it does mean losing some business / public image / relations which is not (most of the time) that much of an heavy scenario (far less dramatic than for an individual). So companies are much willing to take chance an avoid doing much work in securing applications for cost purposes. "If I do it, others companies who won't will benefit from delivering before us and grab the contract so we lose" is often what happen. (Remember why France sold nuclear technology to Irak said? "If we hadn't accepted and sell them other country would have done so). Same mentality applies to company.

    I do not advocate it's good or wrong, just looking at what occurs.

  • Eric M Russell (10/30/2014)


    The impression I get is that most of these hacks targeting big retailers are actually not database penetrations. Malware gets installed on the Point Of Sale terminals, which then skims data from credit card transactions. There are also cases where hackers sniff unencrypted wifi network traffic from POS terminals. Corporate headquarters can lock down their database servers, but sensitive data originates at 100s of local retail outlets which perhaps arn't following the corporation's own security policies when it comes to how the computer equipment is configured or used. I mean, how does malware end up on a POS terminal? Are employees browsing the web on their POS in between customers?

    Some installations of ePOS systems based on PCs rather foolishly leave the base unit on the counter and the back of the base exposed with ports clearly visible. All it takes is plugging in a USB key which runs software on connection. If the machine is not locked down then it is a simple task.

    EDIT: Posted without checking spelling due to automatic install that rebooted PC with 1 minutes warning!!! :angry:

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • While most illicit drug users are otherwise law abiding citizen's there is ample evidence that taking illegal drugs increase your risk of financial criminal activity since the dealers don't fill your demand for their product for free.

  • Robert.Sterbal (10/30/2014)


    While most illicit drug users are otherwise law abiding citizen's there is ample evidence that taking illegal drugs increase your risk of financial criminal activity since the dealers don't fill your demand for their product for free.

    If supervisors are doing their job, then employees with a serious drug problem should be easy to spot in a retail environemnt where they have to stand behind a counter for long hours and constantly interact with customers and coworkers.

    What's harder to spot are external state sponsored hackers (ie: China) or perhaps an internal hacker with political motivations (ie: a US citizen sympathies for Islamic extremism). The credit card data stolen from Home Depot turned up on websites with anti-US propaganda and messages about "retribution for U.S. and European sanctions against Russia for its aggressive actions in Ukraine."

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • If senior management were held accountable to data loss/theft then they would be prepared to do two things; firstly invest in security and secondly delegate responsibility (as opposed to deny responsibility).

    Senior management has a deployable track record. How many DBAs and admins have been denied the resources/process changes for security that could have come from a small percentage of one quarters worth of executive bonuses?

    :angry:

  • I heard through the grapevine that for some of those big retailers that got hacked, it was actually third party vendors that created the security loophole. Either way as a DBA it's hard to hear about such things; we're charged with keeping the data secure, but we can really only protect what's in the database. What happens as it travels to and from the database is beyond our control.

    I do wish there was a central source on what should be done to secure data as a DBA. I work for an online retailer that uses multiple third party solutions for the order management system, product lifecycle management, website, etc. We encrypt the important information at the database level and the third party software does the decryption as needed. We have a firewall to lock down the domain and follow best practices for logins to the database. Is that enough? I don't know, but I'm not sure what else I can do when so much of the process is controlled by our vendors.

    Be still, and know that I am God - Psalm 46:10

  • Robert.Sterbal (10/30/2014)


    While most illicit drug users are otherwise law abiding citizen's there is ample evidence that taking illegal drugs increase your risk of financial criminal activity since the dealers don't fill your demand for their product for free.

    I have not seen any evidence that suggests drug use increases risk of financial criminal activity. Substance abuse, whether legal or illegal, but not substance use. The reason that I make this distinction is twofold:

      1) A positive drugs test (i.e. person has taken substance) statistically leads to too many false positives for risk.

      2) Relying on drugs tests relies on only illegal substances being tested whereas legal substance abuse is as much of a risk.

    So on one hand one is getting too many false positives and on the other hand one is not testing for a significant risk factor.

    I am neither condemning nor condoning any substance use or abuse whether legal or illegal. I am just highlighting that tests for illegal drug use is more flawed than many think for this scenario.

    Athletes are different 😉

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Megistal (10/30/2014)


    ..."The price is not yet enough to enforce good practices"....

    I do not advocate it's good or wrong, just looking at what occurs.

    Totally agree. It is the point I was trying to make but said so succinctly.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • chrisn-585491 (10/30/2014)


    If senior management were held accountable to data loss/theft then they would be prepared to do two things; firstly invest in security and secondly delegate responsibility (as opposed to deny responsibility).

    Senior management has a deplorable track record. How many DBAs and admins have been denied the resources/process changes for security that could have come from a small percentage of one quarters worth of executive bonuses?

    :angry:

    Until senior management are made accountable then the responsibility to implement will not pass down and the requirements to achieve this be passed upwards.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

Viewing 15 posts - 1 through 15 (of 62 total)

You must be logged in to reply to this topic. Login to reply