Are we really in the middle of a data breach epidemic?
Davey Winder explains why the recent run of data breach headlines are really nothing to worry about
eBay got hacked and then got the response all wrong . Office (the shoe retailer, not the Microsoft software suite) had a server attacked, resulting in customer data being compromised. Even anti-virus vendor Avast saw its online forums hacked, and user passwords compromised as a result.
No-one’s 100 per cent sure what happened over at music streaming giant Spotify, other than there was unauthorised access going on, although it looks very much like it could have been a proof-of-concept attack via the Spotify Android client.
Oh, and let's not forget the whole Heartbleed story, which continues to roll on as a new wireless attack vector is suspected.
With all this going on, you’d be forgiven for thinking there is a security breach epidemic happening right now, but is that actually the case?
One PR company got in touch with me to pitch a by-lined article on why breaches are happening more often. I'm not mentioning them, as I've been around long enough to understand that when someone says 'bylined article' they actually mean 'thinly-disguised product marketing pitch'.
Anyway, the point is this misplaced pitch included a helpful list of reasons to explain why there has been a "sudden spate of cyber security breaches" of late.
Despite experiencing similar waves of breach disclosures many times before in my twenty years of covering the security business, some of the ten reasons listed got my back up, and have decided to address them one-by-one.
1. Hackers are getting better at hacking
Actually, hackers are probably getting lazier and more complacent than they have ever been. There are more tools out there to facilitate easy hacking, and more vulnerabilities to be exploited. But the real biggie is the lack of understanding of security issues by organisations.
So, hackers may be having more success (although there's little actual evidence to support this) and companies are now disclosing breaches more readily, but that doesn't mean hackers are getting better at hacking.
2. There are more hackers, doing more hacking
See above. There are more criminals exploiting vulnerabilities, perhaps, and using readily available exploit kits, but when it comes to the old school, competent 'real' hackers, then my gut tells me the numbers are decreasing.
3. IT providers are failing to provide adequate security measures
OK, you've got me there, I cannot argue with that one. Quite obviously there is an 'adequate security' failure happening here, and service providers need to man up and strengthen their efforts.
4. Organisations are getting worse at security
Again, no argument from me here. Organisations *think* they are getting better at security, which is a big part of the problem, but actually they are getting better at investing in the wrong solutions and worse at keeping up with the real threat vectors.
5. Organisations are getting better at breach detection
Again, I agree that breach detection methodologies are improving and attacks that might have gone unnoticed a decade ago are now more routinely spotted. Unfortunately, if you read the detail of compromises over the last few years, you will note that many of them went totally undetected for months on end, all the time collecting data and compromising users.
This suggests breach detection has a long way to go, and the chances are the breaches we read about are just the tip of the iceberg as far as actual successful attacks go.
6. Organisations are disclosing more
Yep, it's true that both regulatory and reputational pressures have meant more companies are willing to disclose breaches, which means we read about more of them. In turn this bolsters the impression that attacks are on the up and our data is at more risk than ever. That impression may, or may not, be correct.
7. There's more data out there
Well, there's certainly more data than there was ten years ago, or even ten minutes ago. The stuff multiplies constantly, but that isn't the same as there being more valuable data out there of course.
8. There's more valuable data out there
I'm not convinced today’s data is really much more valuable than it was yesterday, and that the hacking stakes (risk vs profit) have been raised as a result. My own investigations over the years suggest the real world value of the data being stolen is dropping faster than a hot brick. The Shadow Internet is awash with very cheap stolen data these days. It's a reflection of dark market forces in action: when supply outstrips demand then values fall.
9. Everyone is stupid
The argument that everyone from admins to end users are becoming increasingly careless with their information assets is not one I am going to take issue with.
10. This all adds up to a perfect insecurity storm
Possibly, but what the heck is that doing in the top ten list anyways? Surely it's really a top nine list, or more to the point a top five, when you discount the duplicated points and the conclusion being thrown in at number ten.
There's no denying that data security is a hot topic right now and that's not going to change any time soon.
Truth be told, though, it's been a hot topic for my entire career and all that changes are the specifics. There is no breach epidemic, data insecurity is just a self-inflicted wound. The big picture remains the same: identify your valuable data and invest in securing it accordingly. If you don't then one thing is certain, one day your company will be adorning the news section of IT Pro.
Original Article http://www.itpro.co.uk/security/22399/are-we-really-in-the-middle-of-a-data-breach-epidemic