Risk
4/29/2013
07:38 PM
Tim Wilson
Tim Wilson
Commentary
50%
50%

Big Data Makes A Big Target

LivingSocial.com is another in a long line of "big scores" for data attackers

"Now nobody get nervous, you ain't got nothing to fear. You're being robbed by the John Dillinger Gang, that's the best there is!" -- John Dillinger

Since the first cavemen planned their first theft of fresh meat from a rival tribe, the bad guy has always looked for the big score. From Jesse James to John Dillinger to Willie Sutton, there have always been those who hunted the big game.

The world of cybercrime isn't much different. While there are plenty of hackers who make a good living cracking small business accounts or stealing individual identities, the most ambitious attackers prefer a challenge. NASA. The White House. The National Security Agency. And it's hardly a surprise to hear that hackers are taking plenty of shots at today's golden gooses of user information: Facebook, Twitter, and Google.

With all of this as backdrop, it constantly amazes me that large, hugely successful organizations still often fail in their efforts to preserve databases of hundreds of thousands -- sometimes millions -- of users. How can such enormous volumes of data be compromised?

This weekend's breach of 50 million customer records at digital deals site LivingSocial.com is just the latest of many "big scores" registered by attackers during the past few years, and it won't be the last. From the Veterans Administration in 2006 to Heartland Payment Systems in 2008 to Sony in 2012, the cybersphere is littered with incidents in which a single breach affected millions of users.

In virtually all of these cases, major, successful businesses created huge stores of sensitive user data -- and then failed to secure them properly. In many cases, they built databases with the value and attractiveness of Fort Knox on the back end and Web applications with the security of a Wal-Mart revolving door on the front end. It's mind-boggling.

What's surprising is not that there were vulnerabilities in these systems and applications -- few come out of development without flaws these days. A study published earlier this month by Cenzic suggests that 99 percent of all applications contain vulnerabilities.

What's surprising is that organizations that maintain such huge stores of valuable data don't do more scanning, penetration testing, and vulnerability assessment of their systems on a regular basis. The 2013 Verizon Data Breach Incident Report, posted two weeks ago, indicates that most breaches are still found not by the victim organization, but by a third party.

If you are Mom and Pop's Grocery, then you might still be a target for cybercriminals. But if you are NASA, Google, McDonald's, or General Motors, you can *bet* on it. If you are a business that holds millions of users' personal data, you can count on constant attacks, ranging from hobbyists to the Russian mafia. If you are visible and successful, you will be attacked.

With this in mind, it's important for companies that maintain valuable data stores to take precautions. LivingSocial.com helped itself by storing passwords in an encrypted form that was both salted and hashed. In the end, it might have helped itself even more by conducting constant vulnerability scans, pen tests, and risk assessments, even on production systems. It's not enough to test before deployment -- you have to test after your systems and applications are deployed as well.

Big-game hackers, like the famous thieves and bank robbers before them, are going to keep looking for the big score. If you happen to have such a score in your enterprise, you'd better be thinking about what you're doing to stop them. If you don't, you might very likely be the next big headline. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
5/27/2013 | 2:56:28 PM
re: Big Data Makes A Big Target
I have to agree that
in order to keep your security systems up to date they must under go personal
penetration testing to see what their threats and vulnerabilities are. I have
to further say that if you are a large company then you must go through these
tests in order to ensure the security of your users data. I still say even if
you are a small mom and pop shop you should do a little homework in regards to
maintaining your own security. LivingSocial at the very least was smart enough
to encrypt the passwords, so the attackers were limited in some source.

Paul Sprague

InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.