Companies face an exquisite dilemma: financial success requires greater ease of access with internal syncing and transferability of data. Security requires restricting customers' ability to perform those very same activities. Business is doing what it usually does, trying to find a relatively unhappy medium. And it's not working.
Customers, with their two, three and even four devices complain of slow response times. Then those self-same customers - along with their bankers, lawyers and Congressmen - raise holy hell whenever data security is breached.
As John Gapper reports in the Financial Times, business should expect more attacks of various kinds: Eastern European criminal gangs looking to steal information that could be profitable, Asian intelligence agencies looking for military and industrial secrets, terrorists looking to disrupt anything they can to make a point, and gangs of smart, anarchistic young men and women looking to have fun. This is not a big secret. But companies continue to behave in ways that, as Gapper notes, are similar to medical personnel in hospitals spreading disease by not washing their hands. There are protocols for this and like the police crime tactics that effectively targeted petty crimes leading to larger ones, adapting these protocols can make a difference. Any company that does not take these threats seriously -or fails to take effective action - is in for a miserable millenium JL:
"Howard Stringer this week apologised at Sony’s annual general meeting in Tokyo for the hacking attacks that contributed to a 24 per cent fall in its shares in the past three months and a 16 per cent cut in his pay as chief executive. Meanwhile, the culprits have sailed gleefully away.
Sony’s defences against hacking attacks have proved pitiful: some 20 of its sites have been compromised since April and it had to shut down its PlayStation Network for several weeks. The financial cost was about $170m and the reputational cost has been greater, delaying Sir Howard’s aspiration to retire gracefully. Yet other companies are equally ill-prepared for a world in which they keep masses of valuable customer data in online databases and interact with the outside world through web applications. They have made themselves greatly more vulnerable to being severely hurt by hackers while taking only minimal steps to prevent it.
“It’s time to say bon voyage. Our planned 50-day cruise has expired,” wrote the six-person group of hackers Lulz Security, which has breached websites run by Sony, Citigroup, Nintendo, the Central Intelligence Agency and HBGary Federal, a security company.
It may be prudent to disappear – Ryan Cleary, a 19-year-old with links to LulzSec, has been charged in London with hacking offences, and the Federal Bureau of Investigation is trying to track down its US members. LulzSec claims simply to have been having fun. “This is the internet, where we screw each other over for a jolt of satisfaction,” it wrote in an earlier post.
Most of these attacks came not from eastern European organised criminal gangs searching for credit card numbers or state-sponsored Chinese hackers trying to penetrate US defence contractors but young men such as Mr Cleary who, according to his lawyer, has Asperger’s syndrome. They are obsessives who found it temptingly easy to breach the defences of supposedly sophisticated companies.
Take the “SQL injection” flaw in Sony’s websites, as well as others including HBGary Federal. A hacker who enters a few characters to indicate a software command in a standard field – such as the space for customers to enter their names – can extract information from the underlying database.
This is so far from being rocket science that it was this week rated in guidance on security flaws from the US Department of Homeland Security as “easily detected” and cheap to fix. Yet corporate sites are full of such holes, which can be identified by hackers using software to scan thousands of sites at a time.
These are “very simple programming errors akin to doctors spreading infections by not washing their hands”, according to Alan Paller, director of research at the Sans Institute, a technology group that co-authored the guidance. Although cleaning up past software errors is time-consuming and difficult – as Sony has found – none of it is beyond the corporate grasp.
The problem has been a lack of will, or even awareness high up in companies that there were such gaping holes in their software applications. “It’s like leaving your door open because you’ve never been burgled. When it happens, you learn to lock up,” one corporate hacking target told me this week.
That was naive given how much companies now depend on holding and using data from customers. The shift from the analogue to the digital world means that data – from customers’ names and addresses to their credit card details and buying activity – are increasingly valuable.
The PlayStation Network, for example, has been a means for Sony to turn one-off customers into repeat subscribers, members of a proprietary network and consumers who provide behavioural data with each click of a controller or keyboard. The same goes for Amazon buyers, Facebook members, and even online newspaper readers.
The McKinsey Global Institute estimates that enterprises stored more than seven exabytes of new data on disk drives last year – one exabyte being the equivalent of 4,000 times the information stored in the US Library of Congress. McKinsey argues that the effective use of such “big data” is the key to productivity and margin gains.
All well and good but, in order to communicate with customers, companies have weakened former defences against hacking. “Corporations have gone from a castle-and-moat structure where networks were protected by firewalls to an information bazaar,” says Jeremiah Grossman, chief technology officer of WhiteHat Security.
Unless the web applications that are accessible to both customers and hackers are protected, it is easier to gain access to the databases in which a lot of sensitive data are stored. The damage can be enormous, as the Citigroup case – in which card information for 200,000 customers was hacked – shows.
For now, companies are not keeping their side of the implicit bargain with consumers: that they can be trusted with the data which they are given in good faith. To do so, they need not only to close the obvious holes in their infrastructure but be vigilant in protecting the information they store.
LulzSec has sailed away but it, or another hacking crew, will return – disaffected, proto-anarchist young men with an odd sense of humour are plentiful. If companies are not prepared, it is their fault.
0 comments:
Post a Comment