The Employee Target

  • Comments posted to this topic are about the item The Employee Target

  • Because so many breaches stay undetected for years (or forever?) it is not hard to imagine how this data could be used for 'social hacks' or impersonation. Knowing a lot of personal information about staff members makes it quite easy to gain access to corporate data, since I know more than a few staff members that ask there employees to collect and send them data instead of accessing this data themselves, so these employees are quite used to these requests. Using this employee data a breach may look like an inside job, and it would be very hard to prove otherwise. Though quite modest in numbers, employee data could be even far more valuable to hackers than customer data, not only for access to customer information but also for access to plants, installations and other high risk targets, not to mention business espionage. Just my two cents ...

  • The relative scale and costs of protecting from a breach are mitigating factors for security in general.

    Who do you look to for a listing of breaches and whether or not I'm in one?

    412-977-3526 call/text

  • robert.sterbal 56890 - Monday, February 25, 2019 4:39 AM

    The relative scale and costs of protecting from a breach are mitigating factors for security in general.

    Who do you look to for a listing of breaches and whether or not I'm in one?

    Troy Hunt (Microsoft MVP) does a lot of research on the dark web locating dumps of breached data. He hosts a website service called "Have I Been Pawned" where you can enter your email address or password and determine if it has appeared in any breach. You can also have the service notify you if your email ever appears on a database. Check it out.

    https://haveibeenpwned.com/

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Scary thought, Steve. I suspect that as companies and government agencies become better at protecting themselves from nefarious penetration, that criminal or other government agencies will turn towards influencing employees. It's a logical next step. Threaten someone whose already on the inside, get some data you want, etc. Yep, I can see that coming.

    Rod

  • When governments cannot properly secure their data, when mega-corporations cannot secure their data, that's a glaring neon sign saying we need to fraking stop trying to store sensitive data because it's too damn difficult to secure it. This isn't an issue of screwups or bugs, this is a FUNDAMENTAL problem, probably an NP problem.

    We don't know how to secure data. Full stop.

    Yes, we do a fair job of securing data. But in this case "fair" means "not at all". It only takes *ONE* hole in the security to render not only that company but any other company using the same software/framework/consultant group vulnerable. Once the data's gone, it's gone forever and can never be retrieved.

    The problem isn't just that we suck at security. The problem is simply that we do not understand the problem domain, we have never fully understood it, and probably never will. There are too many different ways to screw up security, we're in the position of living in a submarine with a sub-standard pressure hull, and we insist on taking that sub below crush depth. Worse, we encourage everyone, including family to come along for the ride.

    The cloud only makes this worse.

    1. An infinite attack surface, literally any hacker anywhere on the planet can attack the data. If not directly, then through a clueless end-user in the country of interest, even the CITY of interest.

    2. A concentration of valuable data in a single location, making itself an "attractive nuisance" (in the legal sense).

    3. Pressure to get code out the door without the (seemingly) infinite tests required to weld most of the seams in that software pressure hull.

    4. An insistence by every sales-weasel and their brother to collect and squirrel away EVERYTHING THEY CAN about their customer "so we can improve the customer experience".

    Add it up and you end up with the apocalypse we currently have.

    Until the above issues are addressed, and a fundamental new approach (no idea what it might be) is adopted, we are screwed. And it's only getting worse.

  • roger.plowman - Monday, February 25, 2019 9:13 AM

    When governments cannot properly secure their data, when mega-corporations cannot secure their data, that's a glaring neon sign saying we need to fraking stop trying to store sensitive data because it's too damn difficult to secure it. This isn't an issue of screwups or bugs, this is a FUNDAMENTAL problem, probably an NP problem.

    We don't know how to secure data. Full stop.

    Yes, we do a fair job of securing data. But in this case "fair" means "not at all". It only takes *ONE* hole in the security to render not only that company but any other company using the same software/framework/consultant group vulnerable. Once the data's gone, it's gone forever and can never be retrieved.

    The problem isn't just that we suck at security. The problem is simply that we do not understand the problem domain, we have never fully understood it, and probably never will. There are too many different ways to screw up security, we're in the position of living in a submarine with a sub-standard pressure hull, and we insist on taking that sub below crush depth. Worse, we encourage everyone, including family to come along for the ride.

    The cloud only makes this worse.

    1. An infinite attack surface, literally any hacker anywhere on the planet can attack the data. If not directly, then through a clueless end-user in the country of interest, even the CITY of interest.

    2. A concentration of valuable data in a single location, making itself an "attractive nuisance" (in the legal sense).

    3. Pressure to get code out the door without the (seemingly) infinite tests required to weld most of the seams in that software pressure hull.

    4. An insistence by every sales-weasel and their brother to collect and squirrel away EVERYTHING THEY CAN about their customer "so we can improve the customer experience".

    Add it up and you end up with the apocalypse we currently have.

    Until the above issues are addressed, and a fundamental new approach (no idea what it might be) is adopted, we are screwed. And it's only getting worse.

    well said

    412-977-3526 call/text

  • robert.sterbal 56890 - Monday, February 25, 2019 11:53 AM

    roger.plowman - Monday, February 25, 2019 9:13 AM

    When governments cannot properly secure their data, when mega-corporations cannot secure their data, that's a glaring neon sign saying we need to fraking stop trying to store sensitive data because it's too damn difficult to secure it. This isn't an issue of screwups or bugs, this is a FUNDAMENTAL problem, probably an NP problem.

    We don't know how to secure data. Full stop.

    Yes, we do a fair job of securing data. But in this case "fair" means "not at all". It only takes *ONE* hole in the security to render not only that company but any other company using the same software/framework/consultant group vulnerable. Once the data's gone, it's gone forever and can never be retrieved.

    The problem isn't just that we suck at security. The problem is simply that we do not understand the problem domain, we have never fully understood it, and probably never will. There are too many different ways to screw up security, we're in the position of living in a submarine with a sub-standard pressure hull, and we insist on taking that sub below crush depth. Worse, we encourage everyone, including family to come along for the ride.

    The cloud only makes this worse.

    1. An infinite attack surface, literally any hacker anywhere on the planet can attack the data. If not directly, then through a clueless end-user in the country of interest, even the CITY of interest.

    2. A concentration of valuable data in a single location, making itself an "attractive nuisance" (in the legal sense).

    3. Pressure to get code out the door without the (seemingly) infinite tests required to weld most of the seams in that software pressure hull.

    4. An insistence by every sales-weasel and their brother to collect and squirrel away EVERYTHING THEY CAN about their customer "so we can improve the customer experience".

    Add it up and you end up with the apocalypse we currently have.

    Until the above issues are addressed, and a fundamental new approach (no idea what it might be) is adopted, we are screwed. And it's only getting worse.

    well said

    Fully agree

  • Doctor Who 2 - Monday, February 25, 2019 8:47 AM

    Scary thought, Steve. I suspect that as companies and government agencies become better at protecting themselves from nefarious penetration, that criminal or other government agencies will turn towards influencing employees. It's a logical next step. Threaten someone whose already on the inside, get some data you want, etc. Yep, I can see that coming.

    Organized crime or state sponsored hacking has always involved social engineering or extortion. I recall a story where a Chinese organization setup a restaurant across the street from a R&D center here in the US for the purpose of bribing Chinese nationals on work visa. 
    https://www.networkworld.com/article/2230760/microsoft-subnet/black-duck-eggs-and-other-secrets-of-chinese-hackers.html

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell - Monday, February 25, 2019 12:50 PM

    Doctor Who 2 - Monday, February 25, 2019 8:47 AM

    Scary thought, Steve. I suspect that as companies and government agencies become better at protecting themselves from nefarious penetration, that criminal or other government agencies will turn towards influencing employees. It's a logical next step. Threaten someone whose already on the inside, get some data you want, etc. Yep, I can see that coming.

    Organized crime or state sponsored hacking has always involved social engineering or extortion. I recall a story where a Chinese organization setup a restaurant across the street from a R&D center here in the US for the purpose of bribing Chinese nationals on work visa. 
    https://www.networkworld.com/article/2230760/microsoft-subnet/black-duck-eggs-and-other-secrets-of-chinese-hackers.html

    Oh WOW, I hadn't heard about that, Eric. Makes sense, though.

    Rod

  • In addition to protecting your organization's IT from external threats using firewalls, passwords, and encryption, we also need to implement internal security controls, like with least privilege. That way, even if one our fellow employees does get compromised, the risk is minimized.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Completely agree. This is one area that I think we do poorly as an industry, and really, the controls for doing this better are cumbersome.

    I'd really like "sa"/sysadmin to be able to do everything except read data in a database by default.

  • Steve Jones - SSC Editor - Wednesday, February 27, 2019 8:49 AM

    Completely agree. This is one area that I think we do poorly as an industry, and really, the controls for doing this better are cumbersome.

    I'd really like "sa"/sysadmin to be able to do everything except read data in a database by default.

    Can you explain or link to an explanation of this idea?

    As a production DBA I would find this very difficult to work and document.

    412-977-3526 call/text

  • robert.sterbal 56890 - Thursday, February 28, 2019 1:29 AM

    Steve Jones - SSC Editor - Wednesday, February 27, 2019 8:49 AM

    Completely agree. This is one area that I think we do poorly as an industry, and really, the controls for doing this better are cumbersome.

    I'd really like "sa"/sysadmin to be able to do everything except read data in a database by default.

    Can you explain or link to an explanation of this idea?

    As a production DBA I would find this very difficult to work and document.

    There are also plenty of infrastructure DBAs who don't need access to the data and don't even know how to construct a SELECT statement, so they can go in one of the other specialized server admin roles. However, performance tuning, troubleshooting, and one-off querying in production is a significant part of my role, so I rely on having select access on any table.

    I do feel that we could use additional ApplicationIntent connection options, something like "NoRead" and "NoWrite", that we can use by default to protect us from inadvertently modifying data or objects while performing our routine administrative tasks. For example, the existing "ReadOnly" option will re-route to a readable secondary, but that's intended more for end users. As sysadmins, sometimes we may want to connect to any server, including the primary in an AOG cluster, by default in read-only mode. For example, I'll admit that there has been more than one occasion (rarely over a span of 20 years) where I have run something like a CREATE INDEX or INSERT INTO statement - thinking that I was sitting on development at the time - but soon afterward realized my mistake. So, I'd like to see a checkbox on the SSMS connection dialog that means: "Yes, I'm about to deploy something this morning, so go ahead and escalate this session to Read/Write".

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

Viewing 14 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic. Login to reply