The role of business We must understand that there are different kinds of breaches and related causes. The most publicized security breaches are obviously motivated by financial crime, the attackers usually seizing bank card details. The traffic of stolen cards is essentially fueled by security breaches. The gangs of organized crime not to steal card numbers dropper on the computers of individuals or non-secure websites. And the standard recommendation made to consumers to change their passwords every month and make sure they see a padlock in their browser is nice, but do not believe it will end fraud massive bank cards.
Instead of blaming the security of end users, we have to really increase the pressure on enterprise IT. The personal data held by large commercial enterprises (including mundane operations such as car parks chains) are now worth several hundred million dollars. If this value was in the form of cash or gold, you would see a security service worthy of Fort Knox around. A height of how much money the company, even the largest, it invests in safety?
The sad fact is that conventional computer security today does not protect against attacks on resources worth billions of dollars. Economic realities are against us. It’s more a matter of luck than good planning if some large enterprises have not yet undergone security breach.
Evolution attacks As the name suggests, organized crime is really organized. If it wants, it’s the details of payment cards, it tackles big data warehouses, payment processors and major retailers. The sophistication of these attacks is incredible, even for security professionals. The attack against the terminals Target outlets, for example, was unthinkable. The other types of criminal security breaches include mischief, as when pictures of celebrities iCloud have leaked last year, hacktivism and political or cyber terrorists attacks like the one launched against Sony. Evidence indicates that identity thieves are turning to medical data to power more complex forms of crime. Instead of flying and reproduce the card numbers, identity thieves can use more detailed and extensive records, such as patient records. Either to commit fraud against the health insurance organizations, or to open fake accounts and use them in complex scams. The recent security breach in the Anthem database concerned the detailed personal records of 80 million individuals. We do not know yet how these data will resurface on the black market identity. The immediate availability of stolen personal data is one factor that induces innovations in identity management and access (IAM). (Read the article “The State of Identity Management in 2015″.) The IAM next generation will make the data less valuable stolen, but for the foreseeable future, all companies that hold large customer data sets will the prime targets for identity thieves.
Compare hotel. Sometimes talk about regarding computer breaches means, but they probably occur continuously. The details held by the hotels on clients are staggering: some have details of payment cards, license plates, travel itineraries (the details of the flights) and even passport numbers. Nowadays, with the global hotel chains, reservations are visible for malicious used anywhere in the world, 24/24 and 7 days / 7.
And talk about PCI-DSS security standard of data from the payment card industry to protect the details of cardholders, has had little effect so far. Some of the largest gaps of all time have affected traders and leading payment processors that were compliant with the PCI standard. However, counsel for payment institutions will always find to say that this or that business was not “really” compliant. For their part, the auditors of the payment card industry always refute any liability. One can understand their position: they will not be liable for errors or misdeeds behind their backs.
However, cardholders and merchants are caught in the crossfire. If a department store manages its PCI audits, one can surely expect it to be reasonably sure the rest of the year? Well no, it turns out that the day after a successful audit, an IT trainee can hurt configure a firewall or forget to apply a hotfix. All these defenses are useless and auditing will be worth nothing.
Which reinforces the about the fragility of computing. It has become impossible to make lasting security promises.
Anyway, the PCI standard is nothing more than a set of promises and policies regarding the treatment of data. It certainly improves the state of IT security and takes away lovers attacks, but it has no effect against organized crime or blows from the inside.
What position to take? There is an argument that weighed more in favor of outsourcing the management of data. Rather than keeping the fragile foundations of facing such risk data, companies are turning to large cloud services deemed, where providers have the scale, resources and attention to detail needed to protect the data in their custody. Constellation was interested earlier to what matters in the choice of cloud services from a geographical point of view (see the article “Why Geography Matters Cloud in a Post-Snowden / NSA Era”). If you’re wondering what to do, in the short and medium term solution would be to put the stronger side and to be interested in managed security services specialist providers. In the longer term, a restructuring at the base of networks and platforms, to strengthen against the penetration and theft of identities would be strategic.