Over the span of the last twelve weeks, I have examined some of the breaches and hacks that have occurred. I chose this particular theme because I think if one is going to study cybersecurity, you need to have a strong understanding of where it can go wrong. One thing that I have noticed in several of my classes throughout this degree is that the cybersecurity professionals like to discuss what should be done to protect the system as if there is an infinite budget that a company can give to the IT department to protect things. In reality, companies MUST work with a limited budget, and IT will not get to use that entire budget. It has to be shared with the rest of the company. Therefore, it's fine to say that the company needs to have certain standards in place or use certain technology. But you really learn from studying what happens when you don't use those standards or technology. In the real world, you need to know how you will be affected and how you will overcome the problems.
Not long ago, I received my law degree. I remember having a similar argument with one of my law professors. He insisted that a better contract was needed between the parties, and that would have solved the problem. I replied that from what I had seen in my office and in my studies, that was probably a true answer, but it doesn't account for the fact that every single case we study involves a situation where the parties failed in some respect. Nobody goes to court when everything is going perfectly according to the contract. The parties in that particular case didn't draw their contracts carefully. How are they supposed to proceed now? Furthermore, what happens when I get a client that didn't have me do their contract; instead, they did it themselves, and now they are having problems, and I need to help them solve those problems. My professor didn't have a good answer.
The same is true in IT. If the company engaged in perfect security measures for their information at all times, there is no need for a cybersecurity degree. Everything is going smoothly, and no hackers exist. Unfortunately, that's a fictional world. Companies mess up and hackers want to exploit those mistakes. So how do we proceed in helping companies that have messed up? The easy answer is to simply throw money at the problem and fix it before it's ever a problem. That's a good answer in many respects. Create a strong system and there's less to do later. But how do you proceed if you are hired at a company that hasn't done that? You have to study how other systems were breached. You need to know what is occurring in the real world, and figure out how to make it work when it's imperfect.
I examined breaches and hacks because it's the imperfect side of business. These involve big and small companies. Some focused on the insider threats, whereas others were outside attacks. Some could have easily been fixed, while others are still perplexing years later. My goal was simply to shine a light on these past breaches in an attempt to learn more about them.
The assignment was valuable because it showed me where to look for breach causes. In some cases, I discovered the answer, and some I didn't. This exercise also taught me to think about other consequences, such as when I received a letter than my information was compromised for a company I had no dealings with. How did they get my information? Was this a proper use of my information, or were they not supposed to have it in the first place? These questions all drive at the root of discovering how breaches occur and what they affect.
Monday, November 16, 2015
Tuesday, November 10, 2015
Week 11, New York Taxis
I discovered an article that talks about a data breach involving New York taxis (Pandurangan, 2014). At first, this sounded very juicy- after all, a data breach involving taxis in one of the world's most populated cities could be a horrific problem. In the end, this breach turned out to be a bit anti-climactic.
The breach involved improperly encrypted data that gave information about over 173 million individual trips. It revealed the pickup and dropoff location and time, and the license number and medallion number. The problem is, what is this information likely to be used for? In other words, if we're going to boil it down to a risk analysis, there's a risk here. The data was not encrypted properly, it was released, and anyone with any skill at decrypting can figure out all of the information above. On the other side of the analysis- what is this data actually worth?
The article discusses how one cabbie was making an unusual number of trips. At first, I thought this is where the story would get juicy. Maybe he is doing a drug running business on the side. The article says it was just an error in the data. Even assuming it had been a drug running business, that information is useful to the company because they will want to fire him. It's useful to the authorities because they may want to prosecute him. It's not so useful to hackers looking for information to exploit.
There is one scenario where a hacker may benefit from the information. Say there is a particular person being targeted for assassination. They know that this target has an apartment in a particular area. They could use the data to figure out if there is a pattern to the target's movements. There are two problems with this theory: 1) this is the stuff of bad Hollywood movies, and 2) an assassin would likely already have that info without relying upon a data breach. Simple observation is a much more effective way of finding out the info.
In other words, when you finish the risk analysis, lots of information was released, but the information doesn't seem to hold a very high value. That's why this didn't make the front page of the news- no customers were harmed, no valuable sensitive info was taken. It's just an information dump.
The value of examining a breach like this is that it's a good study not only in how not to properly encrypt your data, but also in conducting a risk analysis. Just because information was breached doesn't mean this information was worth anything.
References:
The breach involved improperly encrypted data that gave information about over 173 million individual trips. It revealed the pickup and dropoff location and time, and the license number and medallion number. The problem is, what is this information likely to be used for? In other words, if we're going to boil it down to a risk analysis, there's a risk here. The data was not encrypted properly, it was released, and anyone with any skill at decrypting can figure out all of the information above. On the other side of the analysis- what is this data actually worth?
The article discusses how one cabbie was making an unusual number of trips. At first, I thought this is where the story would get juicy. Maybe he is doing a drug running business on the side. The article says it was just an error in the data. Even assuming it had been a drug running business, that information is useful to the company because they will want to fire him. It's useful to the authorities because they may want to prosecute him. It's not so useful to hackers looking for information to exploit.
There is one scenario where a hacker may benefit from the information. Say there is a particular person being targeted for assassination. They know that this target has an apartment in a particular area. They could use the data to figure out if there is a pattern to the target's movements. There are two problems with this theory: 1) this is the stuff of bad Hollywood movies, and 2) an assassin would likely already have that info without relying upon a data breach. Simple observation is a much more effective way of finding out the info.
In other words, when you finish the risk analysis, lots of information was released, but the information doesn't seem to hold a very high value. That's why this didn't make the front page of the news- no customers were harmed, no valuable sensitive info was taken. It's just an information dump.
The value of examining a breach like this is that it's a good study not only in how not to properly encrypt your data, but also in conducting a risk analysis. Just because information was breached doesn't mean this information was worth anything.
References:
Pandurangan, Vijay. "On Taxis and Rainbows ." Medium. 21 June 2014. Web. 10 Nov. 2015.
Monday, November 2, 2015
British Airways Hack- Week 10
While any hack is undesirable, this week's hack could have turned out much worse. British Airlines was hacked in March, 2015. The hackers were able to gain information about members of British Airlines frequent fliers club. The hackers did not gain access to any payment information, names, or addresses.
Again, while any hack is undesirable, let's take a moment to consider how this could have gone differently. What if the hackers didn't gain access to just frequent flier numbers, but also got names and addresses. This would potentially cause identity theft issues. If the hackers got access to payment information, this would potentially cause loss of money in addition to the identity theft. Both of these are bad, but they are far from the most devastating hacks that could have occurred here.
Consider what would happen if the hackers didn't just gain access to the frequent flier numbers, but were able to hack all the way into the scheduling and routing systems, or worse, air traffic control. Suddenly, you've got hackers controlling passenger jets.
Sure, any hack is undesirable. But if hacks are ranked in terms of potential devastation, the terrorism aspect of a hacker gaining access to passenger jets vastly outranks their gaining access to frequent flier numbers.
References:
References:
British Airways frequent-flyer accounts hacked. (2015, March 29). Retrieved November 2, 2015, from http://www.theguardian.com/business/2015/mar/29/british-airways-frequent-flyer-accounts-hacked
Subscribe to:
Posts (Atom)