In the last two decades, we have seen a lot of changes around us. We have moved from standard definition to high definition content, dial-up internet to high speed broadband communication and our mode of interaction with devices are also changing with touch and voice input becoming more common. We have also changed our way of communicating and storing data. A lot of our data is stored online in the cloud and most of the communication is online through Twitter, Facebook etc.
Along with the aforementioned changes, our security policies are also changing. With us trusting more and more of our data with technology companies, it is vital for us to ruminate about their security procedures. In the early nineties, the security policies were framed based on the core principles known as CIA – confidentiality, integrity and availability. But times have changed and so have the bad guys. We can no longer rely on the old principles alone. Our security policies have to evolve and that too fast. But are we moving fast enough? Let’s take a look.
Just a few weeks ago, WIRED editor, Mat Honan’s iCloud account was compromised along with his Amazon account. Using the hacked iCloud account, the hacker remotely wiped data from his iPhone, iPad and MacBook. How was the hacker able to do it? Shockingly, just by calling Apple customer support! The hacker was able to get all of the information required to take control of an account from the internet and Amazon using social engineering. You can read the entire story here.
This is just one example. You can find a number of incidents like this. Interestingly, most of today’s attacks use social engineering as the preferred method. But have the technology sectorw evolved enough to protect themselves and customers from these type of attacks? The truth is, while certain companies are trying their best, most or a lot of companies do not think outside the box. In a SANS white paper titled “A Multi-Level Defense Against Social Engineering”, David Gragg quotes Keith A. Rhodes, chief technologist at the U.S. General Accounting Office as follows.
He notes, “Very few companies are worried about this. Every one of them should be.”
Considering that a large number of attacks in 2011 were using social engineering, we can easily conclude that his words are very much true. Still, the unfortunate truth is that companies are not training its staff on detecting social engineering tactics. For example, a large number of tech companies rely on personal information to reset password. At the current age of social network, that information is fairly easy to obtain as shown by the Mat Honan incident. By not taking our current technological ecosystem into consideration, these companies are effectively creating a loophole that the hackers can make use of.
But every time a data breach occurs, can we blame the company or the client? Ted Claypoole, author of ‘Protecting Your Internet Identity: Are You Naked Online?’ says that at certain levels, preventing hacking is just impossible.
“Everyone is hacked. Sometimes a company has a big loss, and other times smaller losses. But professional criminals are testing weaknesses all the time, technology changes constantly, and all businesses have been a victim, or will be a victim. Some never know it.
There is no such thing as impenetrable security. For a thing to have value, you must be able to use it. And if you can reach it to use it, then so can a bad guy. Sometimes they impersonate the account holder. Sometimes they take jobs inside the company and become the security flaw. Sometimes they exploit the technology. But every company has “insufficient security policies” by your measure, because every company is vulnerable. Anyone who tells you that their major company has never been breached is either lying, naïve or both.
Last year a hacker, probably foreign government sponsored, broke into RSA, one of our very top security companies, and took information that could allow the hackers to hack defense contractors (like Lockheed Martin).
Our financial protection from harm lies not in company security policies, but in the system itself. This is why we have a $50 fraud limit on our credit cards, and why, when someone breaks in to steal up to $100,0000 of your money from the bank, they did not just steal your money – they either stole the bank’s money or the government’s money, and yours will be returned. The system eats billions in fraud each year and we all pay a little bit for it, so that the losses are not as unevenly distributed if it happens to you. So I question your assumption that companies who are hacked have insufficient security policies. Resources are limited. We can all spend only so much time and money on security. Sometimes you can have the top security in the world, and the bad guys are simply better.”
And that is certainly true. At times, the bad guys are just too good for us to prevent an incident. But that shouldn’t deter us from creating strong security policies and training our staff to prevent incidents such as the one that happened to Mat. The truth is that most of the time, the data breach would have been completely avoidable (96% of breaches in 2011 were avoidable according to Verizon Business Data Breach Investigations Report, 2011). For example, Microsoft India’s online store was hacked last year and password and credit card data was stolen. Apparently, the company that managed the store on behalf of Microsoft didn’t even bother to encrypt the passwords making the hacker’s job a walk in the park.
So what can we do to improve our current security infrastructure? What we need is a holistic approach in dealing with creation of new security policies considering the latest trends and method of attacks. The policies should evolve fast enough as the attack vectors evolve. Now this is not an easy thing to do but it has to be done in order to safeguard our data. We could have an internationally valid security certification process similar to the ISO 270001 certification which analyses the security policies and practices of a company and rates the company on behalf of their policies. This will help customers in selecting the best in terms of security and will give the companies a necessary ‘push’ in framing the right policies.
Furthermore, the government can pass laws that prioritize the safeguard of consumer data. Unfortunately, there is no solid law in the US that focuses on protection of consumer data, says Ted. “Lawmakers in the United States are doing very little to force protection of user’s data. Other industrialized nations believe that data privacy and data security is a human right that their citizen’s hold. This country does not yet acknowledge any such right. We have laws protecting certain specific classes of information in certain circumstances – some health care data, financial data, and children’s information – but our data protection laws are confused and disjointed.”
While Senators are trying to pass laws such as SOPA for the benefit of the entertainment industry, it would be nice if they could spend a little bit of their valuable time in making solid laws to protect our data and as well as our identity online. Only effective security policies along with strong laws can bring about durable changes in the security infrastructure so that we can sleep tight without worrying about our data.