“When it comes to breaches of security, it’s not a matter of ‘if’ but rather ‘when’.” —Frank AbagnalePosted in Other, Security on October 26th, 2011 by Robin – Be the first to comment
I’ve spoken to many audiences in my security career about how nothing good comes of the mindset that “it’ll never happen to me.” Unfortunately, I was reminded of my own vulnerability when I returned from COMMON recently, only to discover that my beloved road bicycle had been removed illegally from my (supposedly) secured underground parking garage. The perpetrator had first gained access to the locked garage building making the chances high that they reside in the same building (insider threat anyone?) But this was no crime of circumstance or simple convenience. They had obviously seen the bike suspended and secured, and made a conscious decision to return better prepared. Then, they had circumvented my deterrent, cutting cleanly through the reinforced braided steel cable that I had carefully wound through the beautiful yellow and black lightweight frame, both 700C racing wheels, and through a steel eyelet embedded several inches into the cement wall.
I immediately filed a police report, but I’m figuring the bike is already miles down the road by now or sold on craigslist. In fact, I only bothered to report its loss so that I could try to make a claim on my insurance. But it’s not just a financial loss. There’s the lost confidence that I have in the security of the garage, and the guarded suspicion with which I am eyeing the other residents of my fairly small community. Most likely, one of them knows all too well what happened and I don’t like knowing that. Although this type of crime is purely for material or financial gain, it tends to make a person question the overall level of security; including the personal safety of a spouse or a child.
I prefer to believe that the vast majority of people are good and honest, and the exceptions are those more driven by greed and selfishness. This personal event has served as a good, albeit painful, reminder that it’s naive to assume that people won’t take advantage of a situation from which they might profit. Sometimes that situation might arise from an easy temptation; sometimes from a deliberate and planned act. Either way, there’s typically both an immediate and a long-term impact. But we need to assume that, sooner or later, it will happen to all of us.
Data theft is typically harder to detect than traditional theft because stolen data continues to reside on the server it was taken from. The latest PowerTech “State of IBM i Security” study reports that more than 10% of IBM i systems still aren’t using the auditing functionality included in the operating system. These companies have zero visibility to security-related events. From my experience, many of the others are collecting events for purposes other than security forensics, and many have no type of procedure or training on how to interpret the data. This leaves only a small contingent that is proactively reviewing the logs and knows how to recognize and escalate a critical event.
When experiencing a corporate breach, many of the same emotions are experienced as in a personal loss. The initial panic of discovery often leads to confusion and, unfortunately, sometimes to blame. This may result in recrimination, and even job loss. There will be costs associated with the remediation and, according to the renowned Ponemon Institute, these costs now exceed $200 per record breached. If the breach requires disclosure to the affected parties, there’s likely to be an accompanying loss of confidence in the corporate brand and it’s tough to put an exact value on that. Sadly, we don’t put much credence on the costs to prevent, nor the costs to remediate and litigate, until we are already in the unenviable position of paying for them.
A common misconception is that all breaches are initiated from outside the perimeter firewall, and are the result of a user operating with malicious intent. The reality is that an estimated 60–70% of data that is lost, stolen, or damaged was caused by a user inside the network. After all, if the user profile and password are the primary security control, you probably have a large number of users who are able to access data—and not all via the approved application mechanism. Many data issues are the result of quite legitimate functions where the user was totally unaware that they were causing an issue. For example, uploading a spreadsheet of data directly to a production file without realizing the spreadsheet was a filtered view.
You should be aware that your regular business insurance may not cover losses incurred as a result of a data breach; especially if it’s determined that the root cause was inadequate security controls. This forces the organization to shoulder the full burden of the cost, which can run into millions of dollars.
While no security infrastructure is ever 100% safe, we can remove the IBM i data from residing on the “low hanging branch” and make it more viable for someone to pick a different target. As I discussed last week, a defense in layers approach can make it easier to detect and shut down events before they cause serious harm. Sure, it’s not free to implement a good security infrastructure, but I can think I am safe in assuring you, in the long run, it’ll be cheaper that the alternative.
Step 1: We acknowledge that it WILL happen to us eventually.
Oh, and if you’re wondering “who is Frank Abagnale?,” you can see a dramatization of his life in the 2002 movie “Catch Me If You Can” starring Leonardo DiCaprio and Tom Hanks. His life as a former confidence trickster led to him becoming one of the world’s authorities on fraud.
My photograph this week is of Baltimore’s beautiful Inner Harbor. On the left you can see the stern of the “Chesapeake,” one of several historic ships docked at the harbor. The Chesapeake served as a floating lightstation between 1930 and 1970, and survived service during two hurricanes strong enough to break its primary anchor chain.
If you would like information on IBM i security topics, or the solutions modules that comprise the PowerTech portfolio, then please contact me at firstname.lastname@example.org.