What causes enterprise data breaches? The terrible complexity and fragility of our IT systems
Bank robber Willie Sutton, when asked why he robbed banks, answered "That's where the money is." It's the same with breaches. Large databases are the targets of people who want data. It's that simple.
We need to understand that there are different sorts of breaches and corresponding causes. Most high profile breaches are obviously driven by financial crime, where attackers typically grab payment card details. Breaches are what powers most stolen card crime. Organised crime gangs don't pilfer card numbers one at a time from people's computers or insecure websites. (And the standard advice to consumers to change their passwords every month and to make sure they see a browser padlock is nice, but don't think it will do anything to stop mass card fraud.)
Instead of blaming end user security, we need to really turn up the heat on enterprise IT. The personal data held by big merchant organisations (including even mundane operations like car parking chains) is now worth many hundreds of millions of dollars. If this kind of value was in the form of cash or gold, you'd see Fort Knox-style security around it. Literally. But how much money does even the biggest enterprise invest in security? And what do they get for their money?
The grim reality is that no amount of conventional IT security today can protect against attacks on assets worth billions of dollars. The simple economics is against us. It's really more a matter of luck than good planning that some large organisations have yet to be breached. (And that's only so far as we know.)
Organised crime is truly organised. If it's card details they want, they go after the big data stores, at payments processors and large retailers. The sophistication of these attacks is amazing even to security pros. The attack on Target's Point of Sale terminals for instance was in the "can't happen" category.
The other types of criminal breach include mischief as when the iCloud photos of celebrities were leaked last year; hacktivism; and political or cyber terrorist attacks, like the one on Sony.
There's some evidence that identity thieves are turning now to health data to power more complex forms of crime. Instead of stealing and replaying card numbers, identity thieves can use deeper, broader records like patient records to either commit fraud against health system payers, or open bogus accounts, and build them up into complex scams. The recent Anthem database breach involved extensive personal records on 80 million individuals; we have yet to see how these details will surface in the identity black markets.
The ready availability of stolen personal data is one factor we find to be driving Identity and Access Management (IDAM) innovation; see "The State of Identity Management in 2015". Next generation IDAM will eventually make stolen data less valuable, but for the foreseeable future, all enterprises holding large customer datasets we will remain prime targets for identity thieves.
Now let's not forget simple accidents. The Australian government for example has had some clangers, though these can happen to any big organisation. A few months ago a staffer accidentally attached a file to an email, containing passport details of the G20 leaders. Before that, we saw a spreadsheet holding personal details of thousands of asylum seekers get mistakenly pasted into a government website's HTML.
A lesson I want to bring out here is the terribly complexity and fragility of our IT systems. It doesn't take much for human error to have catastrophic results. Who among us has not accidentally hit 'Reply All' or attached the wrong file? If you did an honest Threat & Risk Assessment (as one should) on these sorts of office systems, you'd have to conclude they are not safe to handle sensitive data nor to be operated by most human beings. And yet we simply cannot afford NOT to use the systems. We've created a monster.
Again, criminal elements know this. The expert cryptographer Bruce Schneier once said something like "Amateurs hack computers; experts hack people". Access control on today's sprawling complex computer systems is generally poor, leaving the way open for inside jobs. Just look at the Chelsea Manning case, one of the worst breaches of all time, made possible by granting too high access privileges to too many staffers.
Outside government, access control is worse, and so is access logging - so system administrators often can't tell there's even been a breach until circumstantial evidence emerges. I am sure the majority of breaches are occurring without anyone knowing. It's inevitable.
Please, don't anyone talk to me about PCI-DSS! The Payment Card Industry Data Security Standards for protecting cardholder details haven't had much effect at all. Some of the biggest breaches of all time have affected top tier merchants and payments processors that appear to have been PCI compliant. Yet the lawyers for the payments institutions will always argue that such-and-such a company wasn't "really" compliant. And the PCI auditors always walk away from any liability for what happens in between audits. You can understand their position; they don't want to be accountable for wrong doings or errors committed behind their backs.
However, cardholders and merchants are caught in the middle. If a big department store passes its PCI audits, surely we can expect them to be reasonably secure year-long? No, it turns out that the day after a successful audit, an IT intern can mis-configure a firewall or forget a patch; all those defences become useless and the audit is rendered meaningless.
Which reinforces my point about the fragility of IT. It's impossible to make lasting security promises anymore.
In any case, PCI is really just a set of data handling policies and promises. They improve IT security hygiene, and ward off amateur attacks. But they are useless against organised crime or inside jobs.
There is an increasingly good argument to outsource data management. Rather than maintain brittle databases in the face of so much risk, companies are instead turning to large reputable cloud services, where the providers have the scale, resources and attention to detail to protect data in their custody. Constellation has previously looked at what matters in choosing cloud services from a geographical perspective (see "Why Cloud Geography Matters in a Post-Snowden/NSA Era"); in forthcoming research we will examine a broader set of contract-related KPIs to help buyers make the right choice.
If you ask me what to do, I'd say the short to medium term solution is to get with the strength, and look for managed security services from specialist providers. In the longer term, we will see grassroots re-engineering of our networks and platforms, to harden them against penetration and identity theft.