SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


The Employee Target


The Employee Target

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (689K reputation)SSC Guru (689K reputation)SSC Guru (689K reputation)SSC Guru (689K reputation)SSC Guru (689K reputation)SSC Guru (689K reputation)SSC Guru (689K reputation)SSC Guru (689K reputation)

Group: Administrators
Points: 689860 Visits: 21594
Comments posted to this topic are about the item The Employee Target

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
vliet
vliet
SSCommitted
SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)

Group: General Forum Members
Points: 1928 Visits: 850
Because so many breaches stay undetected for years (or forever?) it is not hard to imagine how this data could be used for 'social hacks' or impersonation. Knowing a lot of personal information about staff members makes it quite easy to gain access to corporate data, since I know more than a few staff members that ask there employees to collect and send them data instead of accessing this data themselves, so these employees are quite used to these requests. Using this employee data a breach may look like an inside job, and it would be very hard to prove otherwise. Though quite modest in numbers, employee data could be even far more valuable to hackers than customer data, not only for access to customer information but also for access to plants, installations and other high risk targets, not to mention business espionage. Just my two cents ...
robert.sterbal 56890
robert.sterbal 56890
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10719 Visits: 1767
The relative scale and costs of protecting from a breach are mitigating factors for security in general.

Who do you look to for a listing of breaches and whether or not I'm in one?
Eric M Russell
Eric M Russell
SSC Guru
SSC Guru (123K reputation)SSC Guru (123K reputation)SSC Guru (123K reputation)SSC Guru (123K reputation)SSC Guru (123K reputation)SSC Guru (123K reputation)SSC Guru (123K reputation)SSC Guru (123K reputation)

Group: General Forum Members
Points: 123927 Visits: 15632
robert.sterbal 56890 - Monday, February 25, 2019 4:39 AM
The relative scale and costs of protecting from a breach are mitigating factors for security in general.

Who do you look to for a listing of breaches and whether or not I'm in one?

Troy Hunt (Microsoft MVP) does a lot of research on the dark web locating dumps of breached data. He hosts a website service called "Have I Been Pawned" where you can enter your email address or password and determine if it has appeared in any breach. You can also have the service notify you if your email ever appears on a database. Check it out.

https://haveibeenpwned.com/



"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
Rod Falanga
Rod Falanga
SSCertifiable
SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)

Group: General Forum Members
Points: 7285 Visits: 809
Scary thought, Steve. I suspect that as companies and government agencies become better at protecting themselves from nefarious penetration, that criminal or other government agencies will turn towards influencing employees. It's a logical next step. Threaten someone whose already on the inside, get some data you want, etc. Yep, I can see that coming.

Rod
roger.plowman
roger.plowman
SSCrazy Eights
SSCrazy Eights (9.9K reputation)SSCrazy Eights (9.9K reputation)SSCrazy Eights (9.9K reputation)SSCrazy Eights (9.9K reputation)SSCrazy Eights (9.9K reputation)SSCrazy Eights (9.9K reputation)SSCrazy Eights (9.9K reputation)SSCrazy Eights (9.9K reputation)

Group: General Forum Members
Points: 9933 Visits: 2039
When governments cannot properly secure their data, when mega-corporations cannot secure their data, that's a glaring neon sign saying we need to fraking stop trying to store sensitive data because it's too damn difficult to secure it. This isn't an issue of screwups or bugs, this is a FUNDAMENTAL problem, probably an NP problem.

We don't know how to secure data. Full stop.

Yes, we do a fair job of securing data. But in this case "fair" means "not at all". It only takes *ONE* hole in the security to render not only that company but any other company using the same software/framework/consultant group vulnerable. Once the data's gone, it's gone forever and can never be retrieved.

The problem isn't just that we suck at security. The problem is simply that we do not understand the problem domain, we have never fully understood it, and probably never will. There are too many different ways to screw up security, we're in the position of living in a submarine with a sub-standard pressure hull, and we insist on taking that sub below crush depth. Worse, we encourage everyone, including family to come along for the ride.

The cloud only makes this worse.

1. An infinite attack surface, literally any hacker anywhere on the planet can attack the data. If not directly, then through a clueless end-user in the country of interest, even the CITY of interest.

2. A concentration of valuable data in a single location, making itself an "attractive nuisance" (in the legal sense).

3. Pressure to get code out the door without the (seemingly) infinite tests required to weld most of the seams in that software pressure hull.

4. An insistence by every sales-weasel and their brother to collect and squirrel away EVERYTHING THEY CAN about their customer "so we can improve the customer experience".

Add it up and you end up with the apocalypse we currently have.

Until the above issues are addressed, and a fundamental new approach (no idea what it might be) is adopted, we are screwed. And it's only getting worse.
robert.sterbal 56890
robert.sterbal 56890
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10719 Visits: 1767
roger.plowman - Monday, February 25, 2019 9:13 AM
When governments cannot properly secure their data, when mega-corporations cannot secure their data, that's a glaring neon sign saying we need to fraking stop trying to store sensitive data because it's too damn difficult to secure it. This isn't an issue of screwups or bugs, this is a FUNDAMENTAL problem, probably an NP problem.

We don't know how to secure data. Full stop.

Yes, we do a fair job of securing data. But in this case "fair" means "not at all". It only takes *ONE* hole in the security to render not only that company but any other company using the same software/framework/consultant group vulnerable. Once the data's gone, it's gone forever and can never be retrieved.

The problem isn't just that we suck at security. The problem is simply that we do not understand the problem domain, we have never fully understood it, and probably never will. There are too many different ways to screw up security, we're in the position of living in a submarine with a sub-standard pressure hull, and we insist on taking that sub below crush depth. Worse, we encourage everyone, including family to come along for the ride.

The cloud only makes this worse.

1. An infinite attack surface, literally any hacker anywhere on the planet can attack the data. If not directly, then through a clueless end-user in the country of interest, even the CITY of interest.

2. A concentration of valuable data in a single location, making itself an "attractive nuisance" (in the legal sense).

3. Pressure to get code out the door without the (seemingly) infinite tests required to weld most of the seams in that software pressure hull.

4. An insistence by every sales-weasel and their brother to collect and squirrel away EVERYTHING THEY CAN about their customer "so we can improve the customer experience".

Add it up and you end up with the apocalypse we currently have.

Until the above issues are addressed, and a fundamental new approach (no idea what it might be) is adopted, we are screwed. And it's only getting worse.

well said

Aleksl-294755
Aleksl-294755
Hall of Fame
Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)

Group: General Forum Members
Points: 3209 Visits: 587
robert.sterbal 56890 - Monday, February 25, 2019 11:53 AM
roger.plowman - Monday, February 25, 2019 9:13 AM
When governments cannot properly secure their data, when mega-corporations cannot secure their data, that's a glaring neon sign saying we need to fraking stop trying to store sensitive data because it's too damn difficult to secure it. This isn't an issue of screwups or bugs, this is a FUNDAMENTAL problem, probably an NP problem.

We don't know how to secure data. Full stop.

Yes, we do a fair job of securing data. But in this case "fair" means "not at all". It only takes *ONE* hole in the security to render not only that company but any other company using the same software/framework/consultant group vulnerable. Once the data's gone, it's gone forever and can never be retrieved.

The problem isn't just that we suck at security. The problem is simply that we do not understand the problem domain, we have never fully understood it, and probably never will. There are too many different ways to screw up security, we're in the position of living in a submarine with a sub-standard pressure hull, and we insist on taking that sub below crush depth. Worse, we encourage everyone, including family to come along for the ride.

The cloud only makes this worse.

1. An infinite attack surface, literally any hacker anywhere on the planet can attack the data. If not directly, then through a clueless end-user in the country of interest, even the CITY of interest.

2. A concentration of valuable data in a single location, making itself an "attractive nuisance" (in the legal sense).

3. Pressure to get code out the door without the (seemingly) infinite tests required to weld most of the seams in that software pressure hull.

4. An insistence by every sales-weasel and their brother to collect and squirrel away EVERYTHING THEY CAN about their customer "so we can improve the customer experience".

Add it up and you end up with the apocalypse we currently have.

Until the above issues are addressed, and a fundamental new approach (no idea what it might be) is adopted, we are screwed. And it's only getting worse.

well said


Fully agree
Eric M Russell
Eric M Russell
SSC Guru
SSC Guru (123K reputation)SSC Guru (123K reputation)SSC Guru (123K reputation)SSC Guru (123K reputation)SSC Guru (123K reputation)SSC Guru (123K reputation)SSC Guru (123K reputation)SSC Guru (123K reputation)

Group: General Forum Members
Points: 123927 Visits: 15632
Doctor Who 2 - Monday, February 25, 2019 8:47 AM
Scary thought, Steve. I suspect that as companies and government agencies become better at protecting themselves from nefarious penetration, that criminal or other government agencies will turn towards influencing employees. It's a logical next step. Threaten someone whose already on the inside, get some data you want, etc. Yep, I can see that coming.

Organized crime or state sponsored hacking has always involved social engineering or extortion. I recall a story where a Chinese organization setup a restaurant across the street from a R&D center here in the US for the purpose of bribing Chinese nationals on work visa.
https://www.networkworld.com/article/2230760/microsoft-subnet/black-duck-eggs-and-other-secrets-of-chinese-hackers.html



"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
Rod Falanga
Rod Falanga
SSCertifiable
SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)

Group: General Forum Members
Points: 7285 Visits: 809
Eric M Russell - Monday, February 25, 2019 12:50 PM
Doctor Who 2 - Monday, February 25, 2019 8:47 AM
Scary thought, Steve. I suspect that as companies and government agencies become better at protecting themselves from nefarious penetration, that criminal or other government agencies will turn towards influencing employees. It's a logical next step. Threaten someone whose already on the inside, get some data you want, etc. Yep, I can see that coming.

Organized crime or state sponsored hacking has always involved social engineering or extortion. I recall a story where a Chinese organization setup a restaurant across the street from a R&D center here in the US for the purpose of bribing Chinese nationals on work visa.
https://www.networkworld.com/article/2230760/microsoft-subnet/black-duck-eggs-and-other-secrets-of-chinese-hackers.html


Oh WOW, I hadn't heard about that, Eric. Makes sense, though.

Rod
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum









































































































































































SQLServerCentral


Search