SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Spend More on Security


Spend More on Security

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (628K reputation)SSC Guru (628K reputation)SSC Guru (628K reputation)SSC Guru (628K reputation)SSC Guru (628K reputation)SSC Guru (628K reputation)SSC Guru (628K reputation)SSC Guru (628K reputation)

Group: Administrators
Points: 628509 Visits: 21336
Comments posted to this topic are about the item Spend More on Security

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
jay-h
jay-h
SSCoach
SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)

Group: General Forum Members
Points: 16434 Visits: 2818
The problem is more tricky than code fixes.

Many breaches are caused by social engineering. Others are caused by third, fourth or fifth parties. Some are caused by bugs in application libraries that we have no access to. And even the coding errors are frequently obscure, found by very motivated, resourceful and smart individuals (to compare, fire doesn't change tactics over the years, fire safety can be handled by static rules). Raising legal costs probably won't eliminate it, any more than attempting to eliminate automobile accidents raising punishments for those at fault.. Our own military and government agencies have been hacked, so I'm not sure they're in a position to define security.


Interestingly, the hotel hack appears to NOT have been a normal criminal activity. The account information has not appeared on the black market, nothing seems to have happened with the credit card information. The theory I've heard is that it appears the attackers were after passport and travel info which can be an opening for social engineering attacks on executives and government officials ("Hi, do you remember me, we met at the engnineering conference in Barcelona last month"). If that's true, this is a nation state job, operating at a level that most IT departments are not prepared to match.

...

-- FORTRAN manual for Xerox Computers --
Jeff Mlakar
Jeff Mlakar
SSCrazy
SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)

Group: General Forum Members
Points: 2461 Visits: 669
IMO until the liability landscape shifts toward making collectors of data responsible and accountable for data leaks nothing will change. They won't spend more money because it is foolish to. It is cheaper for them to just do what they do now: say they got caught with their pants down, are very sorry, and buy people credit monitoring services.

I too wish security was more of an emphasis but I cannot see change unless liability is impacted. How to do that is always the tricky thing. It could be something like what the EU has with GDPR. It could be a change in civil lawsuits so people can sue for damages, it could be increased regulation and standards enforcement. Hard to say which is best.

Lastly - there are some rare cases where there's not much more the company could have reasonably done to prevent a breach. I know, I know, most leaks are due to poor security and practices. However, in cases where it is unreasonable to blame them (like a nation state attack or something) it becomes a different story. Not so easy....
hakim.ali
hakim.ali
Hall of Fame
Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)

Group: General Forum Members
Points: 3751 Visits: 1140
Of course we should ask any entity that collects our data to be accountable for it, but imho we also need to accept and internalize that:

1. Our sensitive data will get out into the world. It is just a matter of time. Whether it is because of any given company's lax security policy, or malicious actions by internal/external personnel, or intentional selling of user data without approval (*cough* Facebook *cough*).

2. We individually need to own some part of keeping our data safe, or implementing processes that won't hurt us too badly when our data gets out. This includes, among other things:
- Locking our credit reports
- Not using the same password on more than one site
- Not using the same credit card number on more than one site (the one I use allows me to create unlimited virtual numbers, so I create a new one for each website I do business with; there are 3rd party providers that will also do this for you), so if one site is hacked you don't have to change it everywhere else.

Hakim Ali
www.sqlzen.com
jay-h
jay-h
SSCoach
SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)

Group: General Forum Members
Points: 16434 Visits: 2818
hakim.ali - Thursday, December 20, 2018 8:12 AM
Of course we should ask any entity that collects our data to be accountable for it, but imho we also need to accept and internalize that:

1. Our sensitive data will get out into the world. It is just a matter of time. Whether it is because of any given company's lax security policy, or malicious actions by internal/external personnel, or intentional selling of user data without approval (*cough* Facebook *cough*).

2. We individually need to own some part of keeping our data safe, or implementing processes that won't hurt us too badly when our data gets out. This includes, among other things:
- Locking our credit reports
- Not using the same password on more than one site
- Not using the same credit card number on more than one site (the one I use allows me to create unlimited virtual numbers, so I create a new one for each website I do business with; there are 3rd party providers that will also do this for you), so if one site is hacked you don't have to change it everywhere else.

Agreed. No amount of regulation will really stop eventual leakage, just as strict laws do not eliminate auto crashes. That's why we have airbags, seatbelts and ambulance services... to reduce the damage when the inevitable happens.

But things can be done at the user level and the payment level. Outfits like Facebook have no interest in restricting your information, as compared to a normal business which has a commercial interest in NOT sharing their customer list. One thing that would help is the ability to generate a crypto key to lock a credit cart to a single vendor. Hence any theft of the CC information would be useless anywhere else, but still provides the convenience of reorder from the legitimate vendor.

Also we should NOT be using biological ID (especially over the net) orother not readily changeable information (birth, SS, family etc). All identification should be quickly and effectively cancelable.


...

-- FORTRAN manual for Xerox Computers --
Eric M Russell
Eric M Russell
SSC Guru
SSC Guru (113K reputation)SSC Guru (113K reputation)SSC Guru (113K reputation)SSC Guru (113K reputation)SSC Guru (113K reputation)SSC Guru (113K reputation)SSC Guru (113K reputation)SSC Guru (113K reputation)

Group: General Forum Members
Points: 113243 Visits: 15180
One thing that most all data breaches have in common is that it involves data access patterns that are not typical. The hacker must poke around, exploring for vulnerabilities, and then download protected data in bulk. There are monitoring tools that can help detect and block that type of thing.


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum









































































































































































SQLServerCentral


Search