Data like digitial water…(3)

Lots of comments and emails on this theme, so I’ll stick with it for a while.  In the first Digital-Water post, I mentioned that some of the recently-reported examples of data slipping, sliding, seeping and soaking its way to the sea included corporate breaches and lost laptops and eBay’ed hard drives and hacking contests.

For a guy who studies Cyber crime all day, I should easily have recognized the biggest oversight in my thinking, even if it was only just meant to be a few examples.  I’m refering of course to intentional theft of data, not by thieves outside finding a way to steal it, but from the people who actually have it in the first place.

A few days ago, the British Information Commissioner’s Office announced they were investigating that – allegedly – more than 35,000 English fans who visited Germany for the 2006 World Cup had personal and passport data copied and sold.  Far from a superstar hacking job, this is reportedly the simple abuse of access privileges by one of FIFA’s own employees, who saw the data as a marketer’s gold mine.   (Cuz, y’know that’s really what you want in a world beset with cheap global travel and low-tech terrorism – someone hoping to sell tens of thousands of peoples’ ID and passport information.  Thanks, dude.)

I liked this quote from Amichai Shulman, CTO at Imperva (full disclosure, I know Amichai and his company well and like them):

“It confirms something we’ve been saying for some time, namely that most organizations defend their digital assets against external attack, but they ignore the internal threat at their peril…”

I definitely think this area alone is a far greater source of leakage of the digital water than current reporting would suggest.  Why?  Two reasons.  First, while external hacking or theft may be hard to stop or take a while to recognize, they usually show up on the radar sooner or later.  Eventually, people realize something was taken because the way the bad guys did it does leave tracks.

When it’s taken by someone who has legitimate access to the data (see how the Wikileaks kid did it – burned CDs off his Army workstation, wrote Lady Gaga so no one would want to check them), it can be nearly impossible to notice because nothing anomalous will show in logs, security systems or audits.  Second, if an organization finds it has been burgled by one of its own, there is an even greater disincentive to report or reveal the loss without compelling reasons.  Not only do they face the PR and regulatory headaches that ensue (as they would with an external thief) but they have the added complication of having to fess up that they were punked by one of their own, calling into question their internal controls and practices, screening and hiring processes etc.  not just the known weaknesses in outward-facing cyber security.

Closing with another quote, this one from McAfee CTO George Kurtz in the wake of the Aurora attack.  While he specified source code (the intellectual property taken in that case) I think if you apply it to IP in general, it makes a nice closer for today:

“If organizations today secured their financial assets as they secure their source code, they’d be broke…”

Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

%d bloggers like this: