I was surprised again last night by another news report that yet another company has joined the long list of companies whom have had data compromised. The short list of companies includes names that many of us know. I even know people personally who have gone out and canceled credit cards just to decrease the odds they will be impacted. What surprises me the most is how companies are reacting or not reacting to the recent security breaches. I hope that there are many companies looking at the list and are terrified they are next. Each time I hear of a new security breach I can’t help but to think of a couple key points.
Are we seeing just the smash and grab jobs? Consider this, say you owned a large retail store, let’s say one that sells just about everything under the sun. If you had 300,000 products in your store, would you notice if 4 or 5 went missing? What if of those 300,000 products 3,000 of them were televisions? Would you notice 4 or 5 T.V.’s missing? Chances are you wouldn’t, and if you did, how long would it take you to discover them missing? Now what if those T.V.’s were magic T.V.’s, the kind that you could copy? If someone made a copy of the T.V. and walked out the door would you, the store owner, ever know? I ask these questions because it appears to me that no one notices data is missing until large groups of data are compromised. One could argue that the large numbers come from data that is at risk and that it may not have been lost at all. There was a movie a number of years ago, I think it was Swordfish or something like it. Anyway, the way the thief would get away with the crime was to take just small amounts of money from many people, rather than a large amount from a few. The idea is that an individual may not miss a penny or two, but when removed from millions of transactions the pennies are well worth it. If we are only hearing about the smash and grabs on the news, how much is happening we don’t know about?
Security is a Puzzle. A few years ago I had to pass a security certification for a position I was in with the US government. One of the principle points I learned was that, as a whole, security is a puzzle. To someone who wants the data on the other side, the security we have in place is nothing more than an elaborate puzzle they need to get through. If you were a hacker, what information do you need to know to start? Sure you need the skills that it requires, but there is more. What if I were a cat burglar? If I wanted to bypass an alarm system at the museum, wouldn’t it help if I knew what kind of alarm it was? If I know the maker of the alarm, would the model number help me? Each piece of information that I have as a cat burglar is one more variable I can remove and, as I remove variables, the puzzle solution becomes just that much easier. We have to identify all the places where we are giving the keys to the bad guys. To log on to a system you need at least a couple pieces of information, a user account and a password. Is the user account on the screen, is the password on a sticky note? When you go to a web page and there is an error in the code, does it tell you the company is running mysql, or that the web server is apache?
Take a look around, how can you help remove the pieces of the puzzles your organization is willing to share?