AOH :: IS1152.HTM|
Fighting the good fight
Fighting the good fight
Fighting the good fight
Site design & layout copyright © 1986-2014 CodeGods
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Content-Type: TEXT/PLAIN; CHARSET=UTF-8
By Mary Kirwan
special to Globetechnology.com
September 18, 2008
We are not winning the battle against computer hackers. In fact, they
are running rings around us.
But what are we doing to remedy the situation? Do we stand a fighting
chance? Or is resistance futile against an army of computer geniuses
spread around the world?
The massive security breach at US retailer TJX was a case in point.
Media focus has been on the fact that insecure wireless networks
facilitated the attack by a motley crew of attackers, recently charged
by US prosecutors, although many of them remain at large.
But was the scenario avoidable?
A top TJX executive, vice-chairman Donald G. Campbell, recently told the
Boston Globe that the record-breaking breach cost TJX $202 million in
security remediation costs, and in settling consumer lawsuits, and
presumably to pay fines levied by the credit card companies for failing
to comply with industry security standards.
$202 million is a tidy sum in tough economic times.
Not to mention the fact that banks and credit unions spent millions of
dollars to reissue compromised cards, and in turn sued anyone who seemed
like a deep pocket. Regulators and law enforcers entered the fray, and
legislation mandating more robust security procedures - targeting
retailers - was passed in Minnesota. US retailers fumed, and finger
pointing was rife.
Clearly, the repercussions of rogue keystrokes by individuals often
little more than immature adolescents, are too severe to be ignored. We
simply must take the fight to them, instead of serving ourselves up on a
plate like sacrificial lambs.
But we are still in denial.
The general consensus is that security at TJX was pretty abysmal.
However, according to TJX's Mr. Campbell, TJX "believes its security was
comparable to most other major retailers and generally better than
retailers who are not as large."
He also expressed the view that the US should adopt chip and pin
technology for bankcards, in place of current magnetic stripe systems
that are less secure and easy to clone. He told reporters that the
technology, common in Asia and Europe- and to be gradually phased in
here in Canada- would have prevented the security breach at the massive
I remain doubtful that this is an accurate assessment of the situation,
but this upgrade would cost a fortune to introduce in the United States,
and no one is enthusiastic. The merchants will balk at the costs of new
bankcard readers, and criminals will adapt. If they can't immediately
break the underlying technology, they will work around it, and find
numerous paths of least resistance.
Unlike their targets, the bad guys think out of the box, and they like
to keep it simple.
We, on the other hand, have a problem with simple. We tend inexplicably
to shy away from practical, inexpensive, common sense solutions.
Unfortunately, a good part of the reason for the flight to complexity in
managing security risks is that many companies simply do not know what
they are doing.
According to research from global payment security consultancy,
Trustwave, point-of-sale (POS) software at retail outlets =E2=80=94 and
implicated in the TJX attack - is frequently insecure. In a test
conducted with Visa last year, Trustwave identified vulnerabilities at
1,600 POS systems; these vulnerabilities were primarily caused by
improperly configured firewalls, and other avoidable errors.
However, they also found that sixty-three percent of the time, third
parties, paid to know better, such as POS developers, integrators or
local IT firms, used the same passwords for all clients running a
particular piece of software. Hackers are fully aware of these sloppy
practices, and exploit them to the hilt.
But if the experts make such basic mistakes, it surely bodes poorly for
the rest of the market.
A recent report by US wireless operator, Verizon's Business
Investigative Response team, The 2008 Data Breach Investigations Report,
drew on data from over 500 forensic engagements handled over a four-year
period (2004- 2007), representing more than 230 million compromised
The report makes it clear that we are our own worst enemy when it comes
to managing security risks.
Nine out of 10 data breaches involved organizations lacking basic
information about their information assets. Attacks involved systems,
data, network connections or accessibility that companies were unaware
of, or systems with unknown accounts or privileges.
Verizon called these eventualities, the "unknown unknowns", and describe
them as 'the Achilles heel in the data protection efforts of every
organization=E2=80=94regardless of industry, size, location, or overall security
You can't protect what you don't even know exists.
But resistance isn't futile: In 87 percent of cases, Verizon
investigators concluded that the breach could have been avoided if
reasonable security controls had been in place at the time of the
incident. And far from being the work of the truly gifted, eighty-three
percent of breaches were caused by attacks not considered to be
Companies also had fair warning of attacks, but missed the signs.
Verizon found that 'evidence of events leading up to 82 percent of data
breaches was available to the organization prior to actual compromise'.
Although large sums of money are spent on monitoring software, only 4
percent of incidents were detected by security technologies- not because
they don't work, but because no one was looking.
We simply have to do better. Or face the consequences.
Content-Type: text/plain; charset="us-ascii"
Register now for HITBSecConf2008 - Malaysia! With
a new triple-track conference featuring 4 keynote
speakers and over 35 international experts, this
is the largest network security event in Asia and
the Middle East!