One of my college buddies (Hi Christian!) shared my previous post on Facebook, pointing out that I’m a long-suffering Royals fan in Cardinals country, and adding that what I said was balanced and dispassionate.
I’m normally anything but dispassionate. But in this case, it’s not a baseball matter–it’s a business matter, and neither my employer nor any past employer is involved, so it’s easy to be detached and dispassionate. I guess you can say my take on hacking has changed. I was going to say “evolved,” but “changed” is more dispassionate.
The now-infamous breached Houston Astros database sounds like a classic case of what security professionals call Shadow IT: a project that the business needs, done without adequate involvement from security and, most likely, from the IT department as well.
These kinds of things happen a lot. A go-getter implements it, cutting through red tape to get a useful project done in record time, and it’s great until something goes wrong.
In this case, “wrong” meant a competitor got into the database and stole trade secrets.
So, about a year ago, the Houston Astros announced their internal player database had been breached. This week, more details emerged, pointing right at the St. Louis Cardinals.
It wasn’t a terribly sophisticated attack. You knew I’d write about this, but I’ll explore it from an IT security perspective more than from a baseball perspective.
Every year around this time, Verizon releases its Data Breach Investigations Report, referred to in the trade as simply the “DBIR.” Verizon is one of two companies you call if you’ve been breached and you really want to get to the bottom of what happened and try to keep it from happening again. (Mandiant is the other.)
My CISO hates this year’s edition because of its Joy Division-inspired cover and some of the cutesy writing. But it still makes some valid points that I wish everyone would take to heart–and those points remind me why so many people in my field of work listen to Joy Division.
Tax fraud is one of big payoffs from data breaches. But there’s a simple thing you can do to make it harder for a scammer to file your taxes if your employer or health insurance provider gets breached and your social security number is one of the ones that gets stolen.
Change your social networking profile.
What seems like a million years ago, when Sony Pictures got breached, some pundits were predicting that was the end of the company. I always thought that was hyperbole, but I have to admit I never went to the extreme of saying breaches are nearly harmless, which seems to be the current popular thinking.
Indeed, a financial analyst went on the Down the Security Rabbit Hole podcast and said breaches are an investment opportunity. Just buy the dip.
Anthem recently refused to allow the Office of Personnel Management’s Office of Inspector General (OIG) to perform an audit of its networks. Coming on the heels of a large breach, there’s been a bit of an uproar about it.
There are a few things to keep in mind, the first being that this isn’t driven by law enforcement–it’s a customer requesting an audit.
I was talking breaches last week when a very high-up joined the conversation in mid-stream.
“Start over, Dave.”
“OK. I’m talking about breaches.”
“I know what you’re talking about,” he said, knowingly and very clearly interested.
Late last week, the Wall Street Journal reported that Anthem wasn’t encrypting the database containing tens of millions of health records that were stolen by sophisticated hackers.
There are numerous problems with that story, the first being that we don’t know yet whether the data was encrypted. There are other unconfirmed reports that say the attackers used a stolen username and password to get at the data, which, if that’s true, likely would have allowed them to decrypt the data anyway.
Still, I’m seeing calls now for the government to revise HIPAA to require encryption, rather than merely encourage it. And of course there are good and bad things about that as well.
Every breach report contains the words “sophisticated attack.” Security pros like me see it as pure spin. Here’s why.