BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Cyber insecurity has to be addressed

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 23 Jul 2015 19:14:20 -0600
http://www.theday.com/article/20150723/OP03/150729646

The alarm bells are getting louder. #SonyHack, #HackingTeam, #OPMHack, and
now #AshleyMadisonHack. In the space of a few months, four data breaches
have punctured a media sphere that has become jaded to the idea of the loss
of data. Why?

We were spellbound by the internal emails revealed by the #SonyHack, which
has had lingering and far-reaching effects on Hollywood, including the
souring of relations between it and Google.

The #HackingTeam event opened a window into the seedy world of
international surveillance technology and cyberweaponry, underscoring how
far governments around the world and in the United States are willing to go
to spy on citizens.

The #OPMHack was about the vast stores of data retained by the federal
government. To paraphrase: “Why hack governments? Because that’s where the
data is.”

That brings us to the most recent #AshleyMadisonHack. It lacks the business
effects of the #SonyHack, the privacy angle of #HackingTeam, and the scale
of the #OPMHack. However it makes up for all of that in terms of sheer
prurient interest.

As a website that explicitly facilitates illicit sexual liaisons, the data
its hackers are threatening to disclose have crushed the company’s planned
IPO and future, as well as putting fear into the hearts of cheating spouses
and significant others across the country. The potential personal wreckage
is profound.

This brings us back to the growing volume of those alarms. What do they
tell us?

First, despite all of the rhetoric from organizations and government, the
hacking problem is getting worse and organizations are not effectively
mitigating the threat. The reports of the security measures in place in all
four hacks reveal security was negligently neglected. We are not talking
about falling short of best practices or even good practices; we are
talking about implementation of worst practices like plain storage of weak
passwords, using default passwords, and unencrypted data storage.

Despite the rhetoric of cybersecurity, organizations continue to prove they
are not serious stewards of user data, even when it threatens their
capacity to function as a going concern. Their seriousness will apparently
rise only when penalties for breaches rise. If any of these organizations
had acquired insurance to cover such a hack, the insurer would likely be
able to avoid its liability because the insureds had failed to take even
the most basic steps to protect data.

Second, there is the “#” factor. Hackers are not concealing their actions
or — as in the #OPMHack — word gets out. In the private sector, many
organizations fear the effect on public confidence and brand of such a
disclosure. Public Relations 101 is to get out in front and make full
disclosure early and often. Concealing the problem only exacerbates it.
Legislation to mandate disclosure of breaches should advance in Congress.

Third, hackers are getting better not just at the tactics of hacking but
also the strategy. They are identifying better targets. Like any predator,
they are interested in the weaker and more vulnerable members of the herd.
Unfortunately for users, most of the herd is lame.

Going one step further, increasingly we see the effects of hacking not in
terms of specific stolen data records, but the destruction of relationships
between people and organizations built with trust. This trust is not easily
restored and once lost, can be hard to regain.

This is especially important in the #SonyHack, #HackingTeam, and
#AshleyMadisonHack. Unlike the #OPMHack, these hacks were especially
damaging because they revealed private and even secret information shared
by actors other than the data holder.

The #SonyHack rekindled Google’s war with the MPAA. The #HackingTeam
revealed the deception practiced by states on their citizens; and the
#AshleyMadisonHack, of course, threatens to disrupt marriages. In each of
these cases, the hacked organization lacked a direct stake in the
collateral damage wrought by the disclosure. The stakes were simply not
high enough for them to take the threat with sufficient seriousness.

They ignored the alarm bells because they didn’t see their house burning.
It remains to be seen how long it will take for them to feel the heat.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: