March 11, 2015 at 8:08 pm
Comments posted to this topic are about the item Data Breach Danger
March 12, 2015 at 12:56 am
Due to the uncertainty of the result of a data breach combined with the uncertainty of who has been affected and to what degree, I am in favour of sanctions against a business for each and every breach (where inadequate measures where taken) as opposed to compensation to individuals.
It may be old school (should that be skool?) thinking but I believe that we are all responsible for avoiding and reducing harm to ourselves. In this case that means checking our credit card statements and ignoring cold calls.
Cold calls is a separate issue entirely and I would like to see these companies eradicated. But, as I say, that is a different matter.
As for the Texan court case, I dislike the litigious culture but also dislike companies getting away with it.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
March 12, 2015 at 3:54 am
The most important problem with security breaches is as too often , the companies in which personal data ( credit card , phone number , ...) have been stolen are burying their heads in the sand , an too usual behaviour ( and too easy one ). They show a despise towards the casualties , and I wonder whether they should have the same answer if these companies ( or their staff ) would have been among the casualties...
The problem is coming from the hospital , but I recognize that it is difficult to solve ( security breaches are always for the other customers , for the moment , no loss for the hospitel , so they don't care : it's too easy to bury one's head in the sand rather to eliminate the problem , maybe brcause of the money cost ...)
People working in computer security are doing often very good work compared the money and time spent to eradicate this problem.
I am sorry for my poor English ( I am using the English language only on forums and sometimes on Facebook )
March 12, 2015 at 5:32 am
The problem is difficult but not unsurmountable.
Could we develop a schema design pattern that recommends a standard architecture for all databases that involve snesitive public human records, and get it approved by the gov? I am thinking here of a technical requirement to have sperate user name and address encrypted tables so that if system security is comprimised then the effects of damage from data loss can be minimised. Or some other hashing/indexing technique. Just an idea!
March 12, 2015 at 6:17 am
I see this as history repeating itself. Only instead of physical theft of valuables, it's virtual theft of intangible values.
I think of the late 1800s where railroads in the west of the US were at threat from bandits - railroad workers were expected to defend the property of those on the train- train drivers and coal shovellers weren't much use against armed asailants and things progressed to the point where the railroads hired their own 'private armies' of armed railway security known as 'dicks'. These days governments have provided such a widespread network of fast-response police forces that such overt physical attacks trains and the like are pretty much a thing of the past.
Today in a database environment, a lot of companies are expecting their data professionals to defend intellectual property from 'digital bandits', and a lot of us aren't that great at it - it's not what we're really trainined for - akin to train drivers vs armed bandits. Some companies are hiring data security specialists to protect their data - like the "railroad dicks" of old times. I wonder how long it will be before governments see data security as important as physical security and start to police it?
I'd like to see government-funded and sanctioned departments of data police assisting companies in implementing best practise at the same time as being on hand to respond electronically to hackers/crackers, tracing them, fighting back digitally against their machines whilst they're in the process of attacking the public in an electronic manner. If a hacker/cracker can bring down a corporate network with coordinated DDOS attacks, couldn't data police do the same to them?
Ben
^ Thats me!
----------------------------------------
01010111011010000110000101110100 01100001 0110001101101111011011010111000001101100011001010111010001100101 01110100011010010110110101100101 011101110110000101110011011101000110010101110010
----------------------------------------
March 12, 2015 at 7:07 am
I don't know how one can ever secure data from the outside unless we cut ties from the outside. But then you still have that internal leak to deal with. It was so much simpler when the company only had 5 employees and we weren't connected to the internet. When something came up missing it wasn't that hard to figure out who took it, even when it was the janitor.
March 12, 2015 at 8:22 am
Ben - That's very interesting. I think there is no doubt that law enforcement is generally way behind the curve regarding computer crime. I'm reading Brian Krebs book on the subject right now.
March 12, 2015 at 9:27 am
Iwas Bornready (3/12/2015)
I don't know how one can ever secure data from the outside unless we cut ties from the outside. But then you still have that internal leak to deal with. It was so much simpler when the company only had 5 employees and we weren't connected to the internet. When something came up missing it wasn't that hard to figure out who took it, even when it was the janitor.
Exactly. Yes, we do need to secure sites, but a more thoughtful approach to limiting the use of stolen data might be just as wise an approach.
If your identity is stolen, the credit agencies do not have a financial interest in helping you. And, there are those that are so against government intervention in anything, getting thoughtful regulations to help citizens is difficult - perhaps impossible. I see this getting much worse before common sense kicks in. Until then, lock your credit with all three credit vendors.
The more you are prepared, the less you need it.
March 12, 2015 at 10:25 am
This might all slow down if the people who hack into secure databases and steal information or sell it after it is stolen were put permanently out of business.
Not all gray hairs are Dinosaurs!
March 12, 2015 at 10:47 am
There was a recent OpEd piece by, IIRC, Bruce Schneier talking about digital intrusion. If your house is broken in to or invaded, you can call law enforcement. If your business is broken in to, you have higher levels of law enforcement if you're a big enough business. If your country is invaded, you have the Army or National Guard to help you.
Not so with digital intrusion.
Because we are not trained security specialists and normally don't have access to the network infrastructure, there's severe limits to what we can do to protect ourselves. On our database servers we can make sure no one has admin permissions who don't need it, no blank SA passwords or disable the SA account entirely, keep current on patches, deploy crypto if you can, etc. And of course backups: they won't prevent an intrusion but might help you clean up afterwards.
We did a pen test at my previous gig, and I immediately spotted it in the logs and after quickly documenting it, went to the network admins. Apparently all of my SQL servers resisted the attackers, not so the network servers. Still, I never got to see the final report, something that I found quite vexing.
We just committed to the new hosted server for my current project, which is a whole additional case of cans of worms. It's the second verse, same as the first: there's only so much that I can do to defend myself, and nothing at all that I can do to defend the network that my server is on. Heck, I can't even talk to their net admins or security people!
I'd like to order a pen test of my system once I get it up to beta, I wonder if CenturyLink would be OK with that? 😛
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
March 12, 2015 at 11:00 am
This is a tough problem. It's not like other issues. If someone breaks into your business its extremely unlikely you'll be charged with a crime or fined, even if your locks were older designs, or the doors were not as strong as they should be.
Business are accustomed to managing fire and other safety risks as well, but the risks (as well as the approaches to mitigate them) do not change every day. Unlike a fire risk, whose behavior is fairly predictable, you're dealing with a large number of (some very intelligent, and quite possibly more knowledgeable than you) attackers. These are constantly working at subverting your systems, your software, and your workers. Guess what: they will, from time to time, hit something that you never even thought of.
The blame concept works primarily when there is a valid, standardized safety procedure. There is incentive but also procedures to keep one's building safe by following known standards. Breaches are different, with thousands of attackers, some even supported by governments, it's often more a way of making sure someone takes the fall.
No matter how much you increase fines, or throw people in jail, you won't make a dent in that problem.
...
-- FORTRAN manual for Xerox Computers --
March 12, 2015 at 11:02 am
Gary Varga (3/12/2015)
Due to the uncertainty of the result of a data breach combined with the uncertainty of who has been affected and to what degree, I am in favour of sanctions against a business for each and every breach (where inadequate measures where taken) as opposed to compensation to individuals.
But, here's a possible issue with something like that:
Who decides what is or is not adequate measures?
Here at work, we have to follow the US govmnt STIG checklists. The problem is, if you follow them blindly, you won't have a working system (OS / SQL / whatever) when you're done, so you need to leave some items "unfixed." At that point, have we started to have inadequate measures? Or would it be a set number of items left unfixed (regardless of if they break your system or not,) and again, how many mean inadequate? The only way I could see to have adequate protection is using nothing but paper records, no copiers or faxes, and cameras of any type are forbidden within the business. Even then, someone determined enough would STILL get data out. Air-gapped systems? Sounds good, but remember STUXNET jumped an air gap and there've been recent reports indicating that there ARE viruses / malware that have infected air-gapped systems and retrieved data from them!
As others have said (new topic,) there's only so much we the IT people can do. In the last week or so, there was a report of a group of people who had been stealing the identities of Blue Cross customers. They didn't hack into the database, or anything exotic like that, no. One of the people involved worked at the BC office, and was taking *pictures* of the information on her computer screen. I almost expect one day some company, in the interests of preventing such comparitively "low tech" insider jobs, will require employees to strip naked before they get to the work areas and either wear a company provided jumpsuit with no pockets and all their personal items left in a locker, or simply work naked...
I don't WANT to see my co-workers naked! :hehe:
March 12, 2015 at 11:14 am
jay-h (3/12/2015)
This is a tough problem...No matter how much you increase fines, or throw people in jail, you won't make a dent in that problem.
Jay, is the only recourse then to back yourself into a corner and take a completely defensive position that you will eventually loose?
Not all gray hairs are Dinosaurs!
March 12, 2015 at 11:49 am
jasona.work (3/12/2015)
Gary Varga (3/12/2015)
Due to the uncertainty of the result of a data breach combined with the uncertainty of who has been affected and to what degree, I am in favour of sanctions against a business for each and every breach (where inadequate measures where taken) as opposed to compensation to individuals.But, here's a possible issue with something like that:
Who decides what is or is not adequate measures?...
I know. It's a wicked problem.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
March 12, 2015 at 11:56 am
The thing that absolutely pisses me off about all of this is the cavalier attitude that many companies have about their data. I regularly see posts that obviously come from hospitals with clear text columns for SSN and the unencrypted full monty of all other PID on the same rows. I'm also keenly aware of one company that uses SSN as a PK and it's available in at least 40 of their tables. When I approached the "compliance officer" about the problem, she said that the Social Security Administration has no requirements for encryption of SSNs (even though they strongly recommend it). When I asked her why she was so resistant to protecting the information, she said it would be "too costly to change" and that all of the other security methods in place would absolutely prevent any type of misuse or data breach. You can just imagine her response when I told her that as an act of good faith, she should enter all her PID and SSN into the system.
While there are some laws about what PID actually is, there aren't enough about things like SSNs and there certainly isn't strong enough enforcement for such things as credit card numbers and bank accounts. I can't speak for other data professionals but I've taken a personal stand against all such blatantly stupid storage practices and I've done so for years.
Although it is possible that there wasn't enough direct evidence in the judgment cited by the article, the fact that such a data breach did occur and that such data probably was used in the plaintiff's demise, I'm appalled that companies and the governments of many levels can continue to get away with this kind of crap.
And the now decades old decision to change the "Not to be used for identification Purposes" rule for SSNs to virtually everyone using it for everything is testament as to when the stupidity actually started.
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 15 posts - 1 through 15 (of 18 total)
You must be logged in to reply to this topic. Login to reply