Data security: between complexity and fragility of our computer systems

Large databases are the targets of those who want the data. It’s that simple.

The role of business

We must understand that there are different kinds of breaches and related causes. The most publicized security breaches are obviously motivated by financial crime, the attackers usually seizing bank card details. The traffic of stolen cards is essentially fueled by security breaches. The gangs of organized crime not to steal card numbers dropper on the computers of individuals or non-secure websites. And the standard recommendation made to consumers to change their passwords every month and make sure they see a padlock in their browser is nice, but do not believe it will end fraud massive bank cards.

Instead of blaming the security of end users, we have to really increase the pressure on enterprise IT. The personal data held by large commercial enterprises (including mundane operations such as car parks chains) are now worth several hundred million dollars. If this value was in the form of cash or gold, you would see a security service worthy of Fort Knox around. A height of how much money the company, even the largest, it invests in safety?

The sad fact is that conventional computer security today does not protect against attacks on resources worth billions of dollars. Economic realities are against us. It’s more a matter of luck than good planning if some large enterprises have not yet undergone security breach.

Evolution attacks

As the name suggests, organized crime is really organized. If it wants, it’s the details of payment cards, it tackles big data warehouses, payment processors and major retailers. The sophistication of these attacks is incredible, even for security professionals. The attack against the terminals Target outlets, for example, was unthinkable.

The other types of criminal security breaches include mischief, as when pictures of celebrities iCloud have leaked last year, hacktivism and political or cyber terrorists attacks like the one launched against Sony.

Evidence indicates that identity thieves are turning to medical data to power more complex forms of crime. Instead of flying and reproduce the card numbers, identity thieves can use more detailed and extensive records, such as patient records. Either to commit fraud against the health insurance organizations, or to open fake accounts and use them in complex scams. The recent security breach in the Anthem database concerned the detailed personal records of 80 million individuals. We do not know yet how these data will resurface on the black market identity.

The immediate availability of stolen personal data is one factor that induces innovations in identity management and access (IAM). (Read the article “The State of Identity Management in 2015″.) The IAM next generation will make the data less valuable stolen, but for the foreseeable future, all companies that hold large customer data sets will the prime targets for identity thieves.

Human variable


Do not forget the simple accidents. For example, the Australian Government has committed blunders, even if they can get to any large enterprise. There a few months, a staff member joined in error to an email message a file containing the passport details of G20 leaders. Before that, we saw a spreadsheet containing the personal details of thousands of asylum seekers inadvertently be pasted into the HTML code of a government website.

What you need to remember is the complexity and fragility of our appalling computer systems. It should not be much to human error has catastrophic results. Who among us has never accidentally clicked “Reply All” and attached the wrong file? If you were an honest assessment of the risks and threats (as everyone should) facing these types of office systems, you should conclude that they are not safe to process sensitive data or to be used by most human beings. Yet, we simply can not afford NOT to use these systems. We have created a monster.

Again, the criminal elements know. Bruce Schneier, cryptography expert, once said: “The amateurs hijack computers; experts pirate individuals.” Access control to the complex and sprawling computer systems today is usually poor, leaving the door open to blows mounted inside. Just see if Chelsea Manning, one of the worst security breaches of all time which has been made possible by granting access privileges too high to too many employees.

Outside of government, access control is worse, as access logging so that system administrators are often unable to find that there has been a security breach until circumstantial evidence emerge . I am sure that the majority of security breaches take place without anyone knowing. This is inevitable.

Security promises

Compare hotel. Sometimes talk about regarding computer breaches means, but they probably occur continuously. The details held by the hotels on clients are staggering: some have details of payment cards, license plates, travel itineraries (the details of the flights) and even passport numbers. Nowadays, with the global hotel chains, reservations are visible for malicious used anywhere in the world, 24/24 and 7 days / 7.

And talk about PCI-DSS security standard of data from the payment card industry to protect the details of cardholders, has had little effect so far. Some of the largest gaps of all time have affected traders and leading payment processors that were compliant with the PCI standard. However, counsel for payment institutions will always find to say that this or that business was not “really” compliant. For their part, the auditors of the payment card industry always refute any liability. One can understand their position: they will not be liable for errors or misdeeds behind their backs.

However, cardholders and merchants are caught in the crossfire. If a department store manages its PCI audits, one can surely expect it to be reasonably sure the rest of the year? Well no, it turns out that the day after a successful audit, an IT trainee can hurt configure a firewall or forget to apply a hotfix. All these defenses are useless and auditing will be worth nothing.

Which reinforces the about the fragility of computing. It has become impossible to make lasting security promises.

Anyway, the PCI standard is nothing more than a set of promises and policies regarding the treatment of data. It certainly improves the state of IT security and takes away lovers attacks, but it has no effect against organized crime or blows from the inside.

What position to take?

There is an argument that weighed more in favor of outsourcing the management of data. Rather than keeping the fragile foundations of facing such risk data, companies are turning to large cloud services deemed, where providers have the scale, resources and attention to detail needed to protect the data in their custody. Constellation was interested earlier to what matters in the choice of cloud services from a geographical point of view (see the article “Why Geography Matters Cloud in a Post-Snowden / NSA Era”).

If you’re wondering what to do, in the short and medium term solution would be to put the stronger side and to be interested in managed security services specialist providers. In the longer term, a restructuring at the base of networks and platforms, to strengthen against the penetration and theft of identities would be strategic.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS