What causes enterprise data breaches? The terrible complexity and fragility of our IT systems

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.zdnet.com/article/what-causes-enterprise-data-breaches-the-terrible-complexity-and-fragility-of-our-it-systems/

Bank robber Willie Sutton, when asked why he robbed banks, answered "That's
where the money is." It's the same with breaches. Large databases are the
targets of people who want data. It's that simple.

We need to understand that there are different sorts of breaches and
corresponding causes. Most high profile breaches are obviously driven by
financial crime, where attackers typically grab payment card details.
Breaches are what powers most stolen card crime. Organised crime gangs
don't pilfer card numbers one at a time from people's computers or insecure
websites. (And the standard advice to consumers to change their passwords
every month and to make sure they see a browser padlock is nice, but don't
think it will do anything to stop mass card fraud.)

Instead of blaming end user security, we need to really turn up the heat on
enterprise IT. The personal data held by big merchant organisations
(including even mundane operations like car parking chains) is now worth
many hundreds of millions of dollars. If this kind of value was in the form
of cash or gold, you'd see Fort Knox-style security around it. Literally.
But how much money does even the biggest enterprise invest in security? And
what do they get for their money?

The grim reality is that no amount of conventional IT security today can
protect against attacks on assets worth billions of dollars. The simple
economics is against us. It's really more a matter of luck than good
planning that some large organisations have yet to be breached. (And that's
only so far as we know.)

Organised crime is truly organised. If it's card details they want, they go
after the big data stores, at payments processors and large retailers. The
sophistication of these attacks is amazing even to security pros. The
attack on Target's Point of Sale terminals for instance was in the "can't
happen" category.

The other types of criminal breach include mischief as when the iCloud
photos of celebrities were leaked last year; hacktivism; and political or
cyber terrorist attacks, like the one on Sony.

There's some evidence that identity thieves are turning now to health data
to power more complex forms of crime. Instead of stealing and replaying
card numbers, identity thieves can use deeper, broader records like patient
records to either commit fraud against health system payers, or open bogus
accounts, and build them up into complex scams. The recent Anthem database
breach involved extensive personal records on 80 million individuals; we
have yet to see how these details will surface in the identity black
markets.

The ready availability of stolen personal data is one factor we find to be
driving Identity and Access Management (IDAM) innovation; see "The State of
Identity Management in 2015". Next generation IDAM will eventually make
stolen data less valuable, but for the foreseeable future, all enterprises
holding large customer datasets we will remain prime targets for identity
thieves.

Now let's not forget simple accidents. The Australian government for
example has had some clangers, though these can happen to any big
organisation. A few months ago a staffer accidentally attached a file to an
email, containing passport details of the G20 leaders. Before that, we saw
a spreadsheet holding personal details of thousands of asylum seekers get
mistakenly pasted into a government website's HTML.

A lesson I want to bring out here is the terribly complexity and fragility
of our IT systems. It doesn't take much for human error to have
catastrophic results. Who among us has not accidentally hit 'Reply All' or
attached the wrong file? If you did an honest Threat & Risk Assessment (as
one should) on these sorts of office systems, you'd have to conclude they
are not safe to handle sensitive data nor to be operated by most human
beings. And yet we simply cannot afford NOT to use the systems. We've
created a monster.

Again, criminal elements know this. The expert cryptographer Bruce Schneier
once said something like "Amateurs hack computers; experts hack people".
Access control on today's sprawling complex computer systems is generally
poor, leaving the way open for inside jobs. Just look at the Chelsea
Manning case, one of the worst breaches of all time, made possible by
granting too high access privileges to too many staffers.

Outside government, access control is worse, and so is access logging - so
system administrators often can't tell there's even been a breach until
circumstantial evidence emerges. I am sure the majority of breaches are
occurring without anyone knowing. It's inevitable.

Look at hotels. There are occasional reports of hotel IT breaches, but they
are surely happening continuously. The guest details held in hotels is
staggering - payment card details, license plates, travel itineraries
including airline flight details, even passport numbers are held by some
places. And these days, with global hotel chains, the bookings are
available to a rogue employee from any place in the world, 24-7.

Please, don't anyone talk to me about PCI-DSS! The Payment Card Industry
Data Security Standards for protecting cardholder details haven't had much
effect at all. Some of the biggest breaches of all time have affected top
tier merchants and payments processors that appear to have been PCI
compliant. Yet the lawyers for the payments institutions will always argue
that such-and-such a company wasn't "really" compliant. And the PCI
auditors always walk away from any liability for what happens in between
audits. You can understand their position; they don't want to be
accountable for wrong doings or errors committed behind their backs.

However, cardholders and merchants are caught in the middle. If a big
department store passes its PCI audits, surely we can expect them to be
reasonably secure year-long? No, it turns out that the day after a
successful audit, an IT intern can mis-configure a firewall or forget a
patch; all those defences become useless and the audit is rendered
meaningless.

Which reinforces my point about the fragility of IT. It's impossible to
make lasting security promises anymore.

In any case, PCI is really just a set of data handling policies and
promises. They improve IT security hygiene, and ward off amateur attacks.
But they are useless against organised crime or inside jobs.

There is an increasingly good argument to outsource data management. Rather
than maintain brittle databases in the face of so much risk, companies are
instead turning to large reputable cloud services, where the providers have
the scale, resources and attention to detail to protect data in their
custody. Constellation has previously looked at what matters in choosing
cloud services from a geographical perspective (see "Why Cloud Geography
Matters in a Post-­Snowden/NSA Era"); in forthcoming research we will
examine a broader set of contract-related KPIs to help buyers make the
right choice.

If you ask me what to do, I'd say the short to medium term solution is to
get with the strength, and look for managed security services from
specialist providers. In the longer term, we will see grassroots
re-engineering of our networks and platforms, to harden them against
penetration and identity theft.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!