IT Security Breaches Soar In 2009

← Back to Stories (view on slashdot.org)

IT Security Breaches Soar In 2009

Posted by kdawson on Tuesday September 29, 2009 @11:24AM from the inside-jobs dept.

slak11 quotes from a Globe and Mail article on the jump in corporate and government security breaches year-over-year. (The reporting is from Canada but the picture is probably much the same in the US.) "This does not seem to be all that newsworthy these days, since stories like this are appearing on a regular basis. The one detail I did like — that seems to break from the traditional 'hackers cause all the bad stuff' reporting — is the mention that everyday employees are a major cause of breaches. The recent Rocky Mountain Bank/Google story is a perfect example. As stated in the article: 'But lower security budgets aren't the only reason breaches tend to soar during tough economic times — employees themselves can often be the cause of such problems.' I figure this will be an ongoing problem until company management and employees accept their role in keeping company information safe. And IT people need to understand that regular employees are not propeller-heads like Slashdot readers, and to begin to implement technology and processes that average people can understand and use."

10 of 65 comments (clear)

Min score:

Reason:

Sort:

Coincidence? by Dyinobal · 2009-09-29 11:25 · Score: 3, Funny

Coincidence? That it's the same year Windows 7 was released? dun dun dun!
1. Re:Coincidence? by frosty_tsm · 2009-09-29 13:06 · Score: 3, Funny
  
  Coincidence? That it's the same year Windows 7 was released? dun dun dun!
  It's also the year in which Windows Vista adoption peaked.
Mafiaa and "terrorists" by religious+freak · 2009-09-29 11:28 · Score: 4, Interesting

The one thing I don't understand is, why don't we actually see MORE breaches in data security than we do now? I mean like real deal, big time, Italian Job / Oceans 11 type stuff. Yeah a little crime here and there, ok. But with IT pervading every major monetary transaction, people in the know could essentially steal an infinite amount of money.

Really, even if you amalgamate enough talent to become 1/4 of a state actor in terms of budget / knowledge, you could make all kinds of money, XSS, SQL injection, social engineering, etc. I'm really surprised we haven't seen a major IT heist yet.

--
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
1. Re:Mafiaa and "terrorists" by wigaloo · 2009-09-29 11:38 · Score: 5, Insightful
  
  The one thing I don't understand is, why don't we actually see MORE breaches in data security than we do now? I mean like real deal, big time, Italian Job / Oceans 11 type stuff. Yeah a little crime here and there, ok. But with IT pervading every major monetary transaction, people in the know could essentially steal an infinite amount of money.
  
  What we learned during the 2008 financial crisis is that there are plenty of ways for crooks to steal an infinite amount of money legally.
Propeller-heads by causality · 2009-09-29 11:46 · Score: 5, Insightful

And IT people need to understand that regular employees are not propeller-heads like Slashdot readers, and to begin to implement technology and processes that average people can understand and use.
You have to love the implication that IT staff purposefully choose the most arcane implementation for the hell of it, or that they enjoy the support calls they receive when users have a hard time with a system. Sometimes what you are doing is inherently complex, and some ability to deal with complexity is necessary. The way I see it, there are two broad approaches to the problem of "implement[ing] technology and processes that average people can understand and use." One is to simplify those technologies and processes. The other is to increase the understanding of the users, or for the users to increase their own understanding.

For some reason, most discussions like this seem to have this unstated assumption that the former approach is the only possible one. I'd like to see more of a middle-ground solution. I like Einstein's saying about how things should be made as simple as possible, but no simpler. Once that is done, if the users still find the systems and processes to be too complex, and their job requires the ability to handle same, then I would conclude that this means they are not qualified for their job and need to be replaced by someone with more understanding. Is that really such a scary conclusion that we must perform all sorts of musings and mental gymnastics to avoid it? Because I certainly believe that people can improve if it is expected of them, if there are not infinite excuses for their shortcomings. For that reason, I don't believe that regarding users who can't handle good systems as unqualified would result in tremendous turnover within a company. I think it would result in more savvy users, even if only to avoid being fired. It would certainly help to disabuse people of this mentality that basic competency is only for nerds, hardcore geeks, and experts.

--
It is a miracle that curiosity survives formal education. - Einstein
1. Re:Propeller-heads by plover · 2009-09-29 13:06 · Score: 3, Insightful
  
  But "simple" does not mean "secure". Yes, simple is easier to verify, but you can write simple, clean code and still get hit with a security incident.
  Code that is simple and secure today also doesn't mean that it will be secure tomorrow, once the next exploit is created and discovered. How long ago was it before javascript existed? Nobody cared if you put <script> tags in your comments, because browsers didn't even know the keyword "script". Suddenly browsers started appearing that supported this tag, and people got creative when posting comments, including cute scripts to animate their signatures. Then XSS attacks were discovered and became all the rage, and perfectly secure web sites around the globe suddenly had a new threat model that became their responsibility to clean up.
  You can review simple code all day long and assure yourself that it will do what it's supposed to do. But it's very, very hard to review code to ensure that it won't do something bad, especially when you don't have tomorrow's definition for "bad" to review against!
  
  --
  John
I.T. IS COMPLICATED, GET USED TO IT! by uslurper · 2009-09-29 11:57 · Score: 3, Insightful

" And IT people need to understand that regular employees are not propeller-heads like Slashdot readers, and to begin to implement technology and processes that average people can understand and use."
This is exactly the attitude that causes insecure environments. Security IS complicated. Accounting IS complicated. Networking IS complicated. PC's ARE complicated. Fuck people realize that I.T. IS COMPLICATED. Give your IT Department the tools and authority to run their department the way it needs to be done.

--
oldhack: "Security is a waste of money until shit hits the fan. 5 minutes later, it becomes waste of money again. "
Security by oldhack · 2009-09-29 12:01 · Score: 4, Insightful

Security is a lot like IT, but much more so. It's waste of money until shit hits the fan. 5 minutes later, it becomes waste of money again. But it's difficult to judge how close you're to shit-blade collision point, though, because in the end it's an effort to mitigate breach, not a guarantee, and news stories that do pop up tend to be sensationalistic and doesn't help the assessment.

--
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
Motivation by whoever57 · 2009-09-29 12:38 · Score: 3, Insightful

... employees themselves can often be the cause of such problems.' I figure this will be an ongoing problem until company management and employees accept their role in keeping company information safe

I figure it will continue to be a problem until company management provides the appropriate motivation and training to employees to keep company data safe. This won't happen until management also has the appropriate motivation. Did anyone in management get fired over the Rocky Mountain bank/Google incident? How much has this cost the bank?

--
The real "Libtards" are the Libertarians!
Re:Dude... by rtb61 · 2009-09-29 18:13 · Score: 3, Insightful

Easiest solution to your problem, parallel networks. An internal secure network, accounting, payroll, banking, data management, cad, cam, publishing etc. and an external network email and internet access. Lock down the internal network, tight, no internet access, no portable media, data is either input at the keyboard or uploaded at the IT office after it is reviewed and scanned.
External network, let the children play and create a USB reboot and rebuild stick for each notebook. You will be a whole lot less frustrated and the children will be happy as they get to play without controls and, by children I do mean the executive pool. Keep it simple internal wired and external wireless, in office try to use infra-red for wireless, it is more restricted and safer.
This way only one machine at a time gets infected on the external network and the infection is always from the net rather than internal. Internal a desktop/terminal, external cheap netbooks/smartbook basically a throw away and in affect an extension of a mobile phone.
Best thing about this, passwords not a problem, unless they break into the specific office to gain access to the specific files than they are out of luck and the server room itself can be fully secured and alarmed, basically a vault.

--
Chaos - everything, everywhere, everywhen