Slashdot Mirror
IT Security Breaches Soar In 2009
slak11 quotes from a Globe and Mail article on the jump in corporate and government security breaches year-over-year. (The reporting is from Canada but the picture is probably much the same in the US.) "This does not seem to be all that newsworthy these days, since stories like this are appearing on a regular basis. The one detail I did like — that seems to break from the traditional 'hackers cause all the bad stuff' reporting — is the mention that everyday employees are a major cause of breaches. The recent Rocky Mountain Bank/Google story is a perfect example. As stated in the article: 'But lower security budgets aren't the only reason breaches tend to soar during tough economic times — employees themselves can often be the cause of such problems.' I figure this will be an ongoing problem until company management and employees accept their role in keeping company information safe. And IT people need to understand that regular employees are not propeller-heads like Slashdot readers, and to begin to implement technology and processes that average people can understand and use."
Coincidence? That it's the same year Windows 7 was released? dun dun dun!
The one thing I don't understand is, why don't we actually see MORE breaches in data security than we do now? I mean like real deal, big time, Italian Job / Oceans 11 type stuff. Yeah a little crime here and there, ok. But with IT pervading every major monetary transaction, people in the know could essentially steal an infinite amount of money.
Really, even if you amalgamate enough talent to become 1/4 of a state actor in terms of budget / knowledge, you could make all kinds of money, XSS, SQL injection, social engineering, etc. I'm really surprised we haven't seen a major IT heist yet.
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
You have to love the implication that IT staff purposefully choose the most arcane implementation for the hell of it, or that they enjoy the support calls they receive when users have a hard time with a system. Sometimes what you are doing is inherently complex, and some ability to deal with complexity is necessary. The way I see it, there are two broad approaches to the problem of "implement[ing] technology and processes that average people can understand and use." One is to simplify those technologies and processes. The other is to increase the understanding of the users, or for the users to increase their own understanding.
For some reason, most discussions like this seem to have this unstated assumption that the former approach is the only possible one. I'd like to see more of a middle-ground solution. I like Einstein's saying about how things should be made as simple as possible, but no simpler. Once that is done, if the users still find the systems and processes to be too complex, and their job requires the ability to handle same, then I would conclude that this means they are not qualified for their job and need to be replaced by someone with more understanding. Is that really such a scary conclusion that we must perform all sorts of musings and mental gymnastics to avoid it? Because I certainly believe that people can improve if it is expected of them, if there are not infinite excuses for their shortcomings. For that reason, I don't believe that regarding users who can't handle good systems as unqualified would result in tremendous turnover within a company. I think it would result in more savvy users, even if only to avoid being fired. It would certainly help to disabuse people of this mentality that basic competency is only for nerds, hardcore geeks, and experts.
It is a miracle that curiosity survives formal education. - Einstein
" And IT people need to understand that regular employees are not propeller-heads like Slashdot readers, and to begin to implement technology and processes that average people can understand and use."
This is exactly the attitude that causes insecure environments. Security IS complicated. Accounting IS complicated. Networking IS complicated. PC's ARE complicated. Fuck people realize that I.T. IS COMPLICATED. Give your IT Department the tools and authority to run their department the way it needs to be done.
oldhack: "Security is a waste of money until shit hits the fan. 5 minutes later, it becomes waste of money again. "
Security is a lot like IT, but much more so. It's waste of money until shit hits the fan. 5 minutes later, it becomes waste of money again. But it's difficult to judge how close you're to shit-blade collision point, though, because in the end it's an effort to mitigate breach, not a guarantee, and news stories that do pop up tend to be sensationalistic and doesn't help the assessment.
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
Oh no! This is nothing like fact-based reporting, either.
Look at the graph on the banner of OSF Dataloss. That banner, right across the top, shows the number of reported incidents, month by month, since Feb 2007. The 2007 average seems to be in the mid-40s. The 2008 average seems to be about 60 per month. The 2009 bar graph is steadily sloping downwards, starting from a high of 61 incidents in Feburary dropping down steadily to 23 last month and 16 this month.
To be a bit more factual, you can visit the statistics. That shows the progression from 2005-2009 looking like this:
2005 140
2006 530
2007 484
2008 703
2009 331
Nothing in the statistics even remotely seems as bad as last year, and this year's pace seems to be trending towards even fewer breaches than 2006's level.
I call shenanigans on this report!
John
I figure it will continue to be a problem until company management provides the appropriate motivation and training to employees to keep company data safe. This won't happen until management also has the appropriate motivation. Did anyone in management get fired over the Rocky Mountain bank/Google incident? How much has this cost the bank?
The real "Libtards" are the Libertarians!
yes, except it will be pictures, with arrows, and small words arranged as digestible catch phrases. Perhaps a pie chart.
Everything that can be hacked, will be hacked. If not in your lifetime, then in mine.
OSF Dataloss seems to be counting the number of data breaches (i.e. database of customer info being leaked, millions of credit card numbers being stolen, etc.), whereas this article refers to security breaches in general, not just those that affect personal privacy. Also, the article seems to be based on Canadian statistics, as well as going by the cost of damages rather than the number of breaches that occurred.
I mean, if in 2008, there were 703 breaches, each only making off with a $10~20k of data on average, whereas the 331 breaches this year average $100k in data, then that's still a huge increase the severity of the security breaches.
Simply counting the number of breaches on record just doesn't paint the full picture.
Could be shenanigans, but they're using different metrics. OSF uses media reports to search for breaches that have been made public whereas TFA conducted a survey of "more than 600 Canadian IT security professionals."
After I posted it, I figure that if they weren't looking at 2009 (because most reporting is done on an annual basis), 2008 does indeed look pretty terrible by comparison to the rest of the years. Although TFA does say that in 2009 the security professionals are reporting 11 incidents per organization compared to 3 per org in 2008.
So, are the Canadian corporations better at hiding breaches from the public than the OSF indicates? Are the "professionals" overreporting and including counts of attempted breaches, like drive-by WEP attacks that go nowhere, or phishing emails, or viruses? Or is this a real count of actual breaches that caused a loss of valuable data, and they're just not telling us?
John
The best way is to remove the users' ability to do damage by enforcing tight GPOs, blocking access to certain types of websites, denying the ability to install software without your participation, blocking certain ports at the demarc (ingress and egress), enforcing automatic patching and virus data file updates, etc.
It seems draconian but once they get used to not going to Facebook or eBay or playing Elf Bowling during work the whining settles down. Oddly enough most of the grumbling comes from the PhDs (who should fucking well know better) and not the administrative staff.
User education helps but only to a narrow limit and degrades fast. You need to make internal security breaches an overt hostile act, which in normal commercial companies is extremely hard to prevent without also retarding the ability to get work done.
I have something in common with Stephen Hawking...
Aha, I found that they have "number of records" metrics, too, as long as you're willing to harvest them out of their reports.
2009 YTD:
Total Incidents: 330
Total Records Affected: 138,772,156
2008:
Total Incidents: 703
Total Records Affected: 85,843,506
2007:
Total Incidents: 484
Total Records Affected: 165,184,031
2006:
Total Incidents: 530
Total Records Affected: 51,142,868
2005:
Total Incidents: 140
Total Records Affected: 55,988,256
So 2009 is indeed a "severe" year in terms of records lost. Again, though, these are totals of all reportedly lost data, regardless of how the data went missing. A backup tape with 100,000 records lost in a dumpster counts equally with a hacker stealing 100,000 credit cards from a web site, even though one loss clearly places the data at a higher risk for fraudulent use than the other.
John
I just realized there might be a positive spin to their numbers as well. Because security awareness has been at the current peak for only a short while (it's really taken off in the last two or three years), it's possible that they're reporting higher numbers of attacks because they now have the tools and monitors in place to detect the higher numbers. Perhaps hacking is not nearly as bad now as it was before, it's just that they didn't know they were being hacked before, and now they do.
John
"I figure this will be an ongoing problem until company management and employees accept their role in keeping company information safe."
Exactly. I suppose it's not that surprising that everyone wants all the benefits of IT without any of the responsibility given that a solid 90% of people are just too fucking stupid to understand that it even HAS consequences, but the willful disregard for protecting customers/patients info is just pathetic. You work in the medical industry and you see that doctors and nurses and sys admins just don't give a fuck about protecting their patients identities and privacy, regardless of how small an inconvenience they face.
I understand that a lot of security solutions are not always convenient but the level of laziness and disregard for people is really inexcusable. You wanna know the truth? Really easy to use security solutions just aren't here yet in a lot of areas. That's a fact. Viruses, worms, system compromises, botnets, identity theft...those ARE here in ALL areas. That's also a fact. If people don't like it then they should go back to using paper records...uhoh...that sounds a little more inconvenient than remembering two passwords doesn't it?
I realize this comment makes me sound like a security nazi but honestly I am pretty good at bridging the gap and have worked on both sides of the security fence. I am just really really tired of users whining. To a point, yes, usability is very important for a lot of reasons and anywhere possible you should strike a balance between usability and security. I don't discount that. However, in a lot of organizations security ALWAYS loses that battle...ALWAYS. Companies are jumping through incredible hoops to meet regs and appease auditors while willfully engaging in egregious breaches of security in areas not covered by laws.
Experience is the reason that the former is always assumed to be the only approach. Users don't give a fuck about understanding more or learning more or taking any responsibility at all for the security of the IT infrastructure. It often seems, in fact, that the more critical the position they hold in regards to access to sensitive information (doctors, lawyers, etc.) the more resistant they are to learning about IT or doing their part to keep the organization secure.
The ONLY solution is the former. As the population of workers is replaced by people who grew up with IT there will be fewer extreme examples of people totally unwilling to do anything at all, but in the end the user mentality remains the same. The ONLY solution is to simplify the solutions and force them, via policy, to accept "the best we can do".
I see this in every aspect of my job. Tell the sys admin that his server is off the wire because it was attempting to infect thousands of other critical servers and possibly even equipment which is even more critical and all he does is complain to his director that you're being a dick and not letting his box, that he failed to patch for 5 years, back on the wire...and thats an IT person. Don't get me started on explaining to the high-muckity-muck that their VPN connected laptop was the source of a worm which infected 200 computers with something they downloaded from a porn site.
The notion that basic competency is only for nerds, hardcore geeks, and experts is rooted firmly in the fact that almost no one is competent or even somewhat intelligent. Most people are stupid as fuck. They manage to do their job like a monkey can learn to press a button and get a treat, but try and teach that same monkey to type a password and get a treat and you're officially well past the point of diminishing returns.
There's a plug for cloud computing in here somewhere, I know it!
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
In the sense that while you have it and pay for it, it feels like a waste of time and money, but when you really need it it, its too late if you didn't get it already :P
I am always amazed at the number of places that I have worked that put reasonable security measures in place but then let them be defeated by bad employee practices. The most common would be instances where multiple users share the same password on some machine or application on a machine because it was too difficult to remember the password for multiple people, so they use a common password instead. And the number of places where the password is of course written down on a sticky note stuck to the computer. People view security as a nuisance mostly, and are quite willing to bypass it if it gets in the way of convenience.
We need a better solution than username/password combos, because people are unreliable if something is inconvenient.
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
A few reasons:
1. Canada has no mandatory notification law, so they frequently won't be published.
2. People who are still using WEP for their wireless security aren't going to be looking for attempted attacks.
This is probably a worst possible case scenario, like "all the data that could have been breached, but we don't necessarily know it was", but I would think it's probably realistic.
"City hall" in German is "Rathaus" Kinda explains a few things......