It seems as though I see a regular stream of data security issues appearing in the news. This week was no exception, though news added detail to previous issues, and the attacks were slightly different than I've seen in the past, which is a bit disconcerting. The Charge Anywhere attack, which has apparently been ongoing since 2009, added a note that some of the data that should have been secured, was sent in plaintext. That's a bad decision and certainly bad architecture. Even in 2007 or 2008 when coding was done, plaintext was a no-no.

However the big news of the week continued to be the Sony hack, which we learned more about. Although the malware was sophisticated, we also learned that attacks on one part of the network didn't cause changes in other parts, which were then successfully hacked. There's certainly a lesson here. If you have a server system attacked, you don't want that to continue. When you have an idea of how the attack occurred, you should immediately devote some resources to ensuring other systems you own are not attacked. 

Criminals are getting more sophisticated, which means more headaches for us as data professionals. The FBI estimates that 90% of the defenses we put up would have been bypassed by the attack. I'm not sure if that means that the criminals are incredibly smart or the way most of us implement security is done poorly. While there are limits to what we can do as system administrators, we should continue to work at being better. We certainly need to.

I would also think that we should be planning on regular refactoring of our code, just for security purposes. I don't know how much it will help, but as we learn more about security, if we've allowed for changes, we should implement them. I know most of you don't get to make this decision, but perhaps sending a few headlines to your boss might help.

The last thing I noted this week in the security front was a blog from Bruce Schneier. He talks about sophiscated malware that's been invading various companies and networks. While there are a variety of countries that are suspected of deploying various viruses over the years, he's concerned that the Regin malware might be engineered by the United States. That's not surprising because I would expect that the US, along with other countries, to be engaged in these types of activities. What's disconcerting, however, is the fact that the various anti-virus companies were slow to remove this software from machines. It's bad enough that we might have to content with stealthy government attacks, but it's much more disconcerting that private companies don't perform at their best to disclose information to us.

Security seems to be a big mess, and getting bigger all the time. Between criminals and governments, it appears that many of us working with data have little chance to defend our networks. I just hope our management understands that we can continue to strive to do the best we can as professionals, but we may not have much success.