Final thoughts on the Houston Astros’ database

One of my college buddies (Hi Christian!) shared my previous post on Facebook, pointing out that I’m a long-suffering Royals fan in Cardinals country, and adding that what I said was balanced and dispassionate.

I’m normally anything but dispassionate. But in this case, it’s not a baseball matter–it’s a business matter, and neither my employer nor any past employer is involved, so it’s easy to be detached and dispassionate. I guess you can say my take on hacking has changed. I was going to say “evolved,” but “changed” is more dispassionate.

There was a time when the stereotypical hacker was a socially awkward thrill-seeker, living in his parents’ basement, filling the emptiness in his life by wreaking havoc on computers belonging to other people, hoping to become the lead story on CNN.

And I used to get pretty worked up about that. I’m an introvert, but I managed to do something productive with my life, so why can’t they?

It’s different now. It’s been a long time since that stereotype even closely resembled reality.

Today, computer hacking is a big-money crime, and because the money is big, it’s not going away any time soon. Whether people do it because the bad guys pay more money than the good guys, or merely because the bad guys have more job openings, I don’t know. I’m pretty sure the bad guys are a lot better at screening and interviewing candidates than the good guys are. What I do know is that computer crime is more profitable than stealing cars, and probably more profitable than selling drugs, it’s definitely a lot safer, and the chances of getting caught are a lot less. That’s at least four good reasons why it’s not going away.

I guess I could get worked up about car thefts, but it’s not going to change anything. It took a while, but I see computer crime the same way, except there are things I can do to make computer crime at least a little bit less common.

Some of these attacks are really sophisticated, and some of them, like the attack on the Astros, are the work of amateurs who pretty much just lucked into it. Had the Astros executives used passwords that were different enough than they had used when they worked for the Cardinals, the Cardinals executives probably would have given up.

I’m interested in motives only so much as to understand the value of the data. My job as a security professional is to protect it adequately. Adequate protection doesn’t mean putting a million dollars’ worth of protection on data that’s worth five bucks. If the data is worth five bucks, put in enough protection that it costs $5.01 to steal it, and the crooks won’t steal it, because it’s not profitable.

Right now we don’t know the details around the breach. We don’t know who’s idea it was or anything, and that makes a difference. If the general manager ordered it or approved of it, that’s a very different story than if a couple of guys, after too many beers, remembered that sheet of notebook paper with passwords on it and decided to see if any of them worked on the Astros. Either scenario is possible, and so is anything in between.

It seems unlikely to me that this was the first time something like this has happened–it’s just the first time anyone noticed. It almost certainly won’t be the last. The sophisticated bad guys will go looking for this kind of data now, and if they have any degree of success selling the data they find, they’ll be back.

I probably can’t make it impossible for the really talented bad guys to get it, but I can make it difficult. And if I make it difficult for the talented bad guys, that’ll keep the wet-behind-the-ears bad guys out.

If you found this post informative or helpful, please share it!
%d bloggers like this: