|Home » Learning Curve
The Ultimate Cluestick
Hit them with it. Sue their pants off.
Pop quiz. You go to your favourite watering hole in Beverly Hills. You leave your gas guzzler with the valet. After dinner you go back out and the valet tells you your car's been stolen. But upon further investigation it's found the restaurant has a bad habit of leaving car keys in the ignition. Nothing ever happens in Beverly Hills.
Part One: who's liable? Answer: your insurance company will probably sue the pants off the restaurant.
Part Two: would you ever go back to that restaurant again?
So - when it's about OPM (other people's money) or OPP (other people's property) or OPI (other people's identity) who's responsible when there's a breach and you suddenly find your name all over the Internet?
That's a rhetorical question.
Banks used to know how to do things like this. Their livelihood was dependent on it. They build up stable routines over the years. But when it comes to the Internet it's not just the banks playing valet anymore and it's not the same scenario anyway. And when it comes to following security procedures most of the companies you trust simply don't give a shit.
So if anything ever happens to you - sue their pants off. That's the only way they'll ever change.
Brian Krebs of Security Fix has taken a look at a rather remarkable report from Verizon. You don't have to read it - at least not right now. Brian's already done the groundwork for you. And this article will further synthesise things.
Behind the Stats
Verizon studied some 500 data breaches they investigated over the years to see if they could discern any telling trends. They came up with a shitload. 'Companies are too trusting of their core business partners, far too complacent with their own internal security and too willing to violate their own security policies', summarises Krebs.
Krebs picks out some really juicy percentages. Prepare to be frightened.
- 63% of the victimised companies didn't get a clue they'd been hacked until months after the attack.
- 82% of the victimised companies had all the clues in their network logs all along but never looked.
- 70% of the victimised companies found out about the attacks after the fact through third parties such as banks or law enforcement or the clients who'd trusted them.
- 79% of the victimised companies were hit because they ignored their own security procedures.
And you trusted these people.
The Rock Star Hacker
The days of the rock star hacker are gone. Today it's serious business and the black hat pros who carry out this work are good at it. Their work is often boring, a drudgery - but they get their results and that's why they're paid so well.
They work methodically - much like explained in 'Hacking Exposed'. They research the target, footprint all possible means of access, find the path of least resistance - and then strike. And after they get what they broke in for they do their best to cover their tracks.
Finding out how black hats broke in by studying the logs isn't the easiest way anymore - auditing corporate security is often much easier. Especially with the arrogance so many companies are showing towards the trust their clients give them.
Whether it's money in a bank or an identity entrusted to an online enterprise: there's no excuse and there should be legislation holding these people responsible - only by hitting them where it hurts will they ever change.
Security Fix: The Ultimate Cluestick
Verizon: 2008 Data Breach Investigations Report