Bank robber Willie Sutton, when asked why he robbed banks, answered “That’s where the money is”. It’s the same with breaches. Large databases are the targets of people who want data. It’s that simple.
Having said that, there are different sorts of breaches and corresponding causes. Most high profile breaches are obviously driven by financial crime, where attackers typically grab payment card details. Breaches are what powers most card fraud. Organised crime gangs don’t pilfer card numbers one at a time from people’s computers or insecure websites (and so the standard advice to consumers to change their passwords every month and to make sure they see a browser padlock is nice but don’t think it will do anything to stop mass card fraud).
Instead of blaming end user failings, we need to really turn up the heat on enterprise IT. The personal data held by big merchant organisations (including even mundane operations like car parking chains) is now worth many hundreds of millions of dollars. If this kind of value was in the form of cash or gold, you’d see Fort Knox-style security around it. Literally. But how much money does even the biggest enterprise invest in security? And what do they get for their money?
The grim reality is that no amount of conventional IT security today can prevent attacks on assets worth billions of dollars. The simple economics is against us. It’s really more a matter of luck than good planning that some large organisations have yet to be breached (and that’s only so far as we know).
Organised crime is truly organised. If it’s card details they want, they go after the big data stores, at payments processors and large retailers. The sophistication of these attacks is amazing even to security pros. The attack on Target’s Point of Sale terminals for instance was in the “can’t happen” category.
The other types of criminal breach include mischief, as when the iCloud photos of celebrities were leaked last year, hacktivism, and political or cyber terrorist attacks, like the one on Sony.
There’s some evidence that identity thieves are turning now to health data to power more complex forms of crime. Instead of stealing and replaying card numbers, identity thieves can use deeper, broader information like patient records to either commit fraud against health system payers, or to open bogus accounts and build them up into complex scams. The recent Anthem database breach involved extensive personal records on 80 million individuals; we have yet to see how these details will surface in the identity black markets.
The ready availability of stolen personal data is one factor we find to be driving Identity and Access Management (IDAM) innovation; see “The State of Identity Management in 2015”. Next generation IDAM will eventually make stolen data less valuable, but for the foreseeable future, all enterprises holding large customer datasets we will remain prime targets for identity thieves.
Now let’s not forget simple accidents. The Australian government for example has had some clangers though these can happen to any big organisation. A few months ago a staffer accidentally attached the wrong a file to an email, and thus released the passport details of the G20 leaders. Before that, we saw a spreadsheet holding personal details of thousands of asylum seekers get mistakenly pasted into a government website HTML.
A lesson I want to bring out here is the terrible complexity and fragility of our IT systems. It doesn’t take much for human error to have catastrophic results. Who among us has not accidentally hit ‘Reply All’ or attached the wrong file to an email? If you did an honest Threat & Risk Assessment on these sorts of everyday office systems, you’d have to conclude they are not safe to handle sensitive data nor to be operated by most human beings. But of course we simply can’t afford notto use office IT. We’ve created a monster.
Again, criminal elements know this. The expert cryptographer Bruce Schneier once said “amateurs hack systems, professionals hack people”. Access control on today’s sprawling complex computer systems is generally poor, leaving the way open for inside jobs. Just look at the Chelsea Manning case, one of the worst breaches of all time, made possible by granting too high access privileges to too many staffers.
Outside government, access control is worse, and so is access logging – so system administrators often can’t tell there’s even been a breach until circumstantial evidence emerges. I am sure the majority of breaches are occurring without anyone knowing. It’s simply inevitable.
Look at hotels. There are occasional reports of hotel IT breaches, but they are surely happening continuously. The guest details held in hotels is staggering – payment card details, license plates, travel itineraries including airline flight details, even passport numbers are held by some places. And these days, with global hotel chains, the whole booking database is available to a rogue employee from any place in the world, 24-7.
Please, don’t anyone talk to me about PCI-DSS! The Payment Card Industry Data Security Standards for protecting cardholder details haven’t had much effect at all. Some of the biggest breaches of all time have affected top tier merchants and payments processors which appear to have been PCI compliant. Yet the lawyers for the payments institutions will always argue that such-and-such a company wasn’t “really” compliant. And the PCI auditors walk away from any liability for what happens in between audits. You can understand their position; they don’t want to be accountable for wrong doings or errors committed behind their backs. However, cardholders and merchants are caught in the middle. If a big department store passes its PCI audits, surely we can expect them to be reasonably secure year-long? No, it turns out that the day after a successful audit, an IT intern can mis-configure a firewall or forget a patch; all those defences become useless, and the audit is rendered meaningless.
Which reinforces my point about the fragility of IT: it’s impossible to make lasting security promises anymore.
In any case, PCI is really just a set of data handling policies and promises. They improve IT security hygiene, and ward off amateur attacks. But they are useless against organised crime or inside jobs.
There is an increasingly good argument to outsource data management. Rather than maintain brittle databases in the face of so much risk, companies are instead turning to large reputable cloud services, where the providers have the scale, resources and attention to detail to protect data in their custody. I previously looked at what matters in choosing cloud services from a geographical perspective in my Constellation Research report “Why Cloud Geography Matters in a Post-Snowden/NSA Era”. And in forthcoming research I’ll examine a broader set of contract-related KPIs to help buyers make the right choice of cloud service provider.
If you asked me what to do about data breaches, I’d say the short-to-medium term solution is to get with the strength and look for managed security services from specialist providers. In the longer term, we will have to see grassroots re-engineering of our networks and platforms, to harden them against penetration, and to lessen the opportunity for identity theft.
In the meantime, you can hope for the best, if you plan for the worst.
Actually, no, you can’t hope.