Tag Archives: breach

Bromium – The Dawn Of A New Era In Corporate Cyber Threats?

14 July 2014

The Dawn Of A New Era In Corporate Cyber Threats? | A Collection of Bromides on Infrastructure.

Although the picture reminds me of some scenes of Terminator II, Bill Gardner does not announce the imminent end of the world. In this blog post he just creates awareness for a new kind of attacks with may have dramatic impact on businesses.

Fortunately, today’s attackers focus on new market businesses. The impact of a data theft, e.g. loss of reputation or annoyed customers, is costly and exasperating for companies, but not life-threatening. Destruction of data and of backups, as in the case of Code Spaces, might lead in the worst case to loss of business and disastrous effect on customers.

But the expansion of malicious activities to old market businesses, like chemical and pharmaceutical plants or basic infrastructure like national gas or power supply systems, could have  a catastrophic impact on businesses, environment and people.

In addition, a third type of damage, integrity loss, caused by tampering of data, makes things really worse, because this kind of damage is very hard, and often only after several years, to discover.

We urgently need to prepare for the “Maximum Credible Accident!

For a good starting point see Mark Brown’s article “Where should a CISO look for cyber security answers – hardware, software or wetware?”.

Don’t Panic – All will end well!

The eBay data breach – Is hashing of passwords the appropriate response?

10 June 2014

The news about the data theft at eBay have almost electrified me. Not due to fears of losing my private data, I am not eBay customer, but the details under which the theft took place are interesting for me from a professional point of view.

My first thought was: This was an Insider Attack!

The IT departments of large companies are doing a very good job in operating the servers connected to the internet. I would have been very surprised about an attack through servers at the company’s border to the internet.

The information published by eBay at 21 May 2014 [1] saved my day:

‘Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network.’

I am not at all surprised that eBay discovered the loss of customer information with a two month delay. According to the Ponemon Study 2013 [2] the average time to resolve attacks by ‘malicious insiders’ is 65.5 days in 2012 (57.1 days in 2011). That fits well even in this case.

But I am somewhat puzzled by the discussion in some blogs whether encryption is the adequate method to protect sensitive and private data from unauthorized access. Hashing is praised as a better method for protecting passwords.

In my opinion this discussion goes hardly far enough. The loss of e-mail address, physical address, and date of birth is to take at least as seriously as the loss of passwords, since this information enables e.g. professionally made targeted phishing attacks. And, as we all know, an experienced hacker can attack even a hashed password, in particular if he has enough time behind closed doors. See [3] for amazing details about cracking of hashed passwords.

Just new technology will not necessarily increase the overall security because the root causes for this data breach are more likely a lack of security awareness and training. Therefore, only the classic PPT approach, which includes People, Processes and Technology, will lead to an increased overall security.
PPT - People, Processes, Technology

PPT – People, Processes, Technology