Risk
4/29/2013
07:38 PM
Tim Wilson
Tim Wilson
Commentary
50%
50%

Big Data Makes A Big Target

LivingSocial.com is another in a long line of "big scores" for data attackers

"Now nobody get nervous, you ain't got nothing to fear. You're being robbed by the John Dillinger Gang, that's the best there is!" -- John Dillinger

Since the first cavemen planned their first theft of fresh meat from a rival tribe, the bad guy has always looked for the big score. From Jesse James to John Dillinger to Willie Sutton, there have always been those who hunted the big game.

The world of cybercrime isn't much different. While there are plenty of hackers who make a good living cracking small business accounts or stealing individual identities, the most ambitious attackers prefer a challenge. NASA. The White House. The National Security Agency. And it's hardly a surprise to hear that hackers are taking plenty of shots at today's golden gooses of user information: Facebook, Twitter, and Google.

With all of this as backdrop, it constantly amazes me that large, hugely successful organizations still often fail in their efforts to preserve databases of hundreds of thousands -- sometimes millions -- of users. How can such enormous volumes of data be compromised?

This weekend's breach of 50 million customer records at digital deals site LivingSocial.com is just the latest of many "big scores" registered by attackers during the past few years, and it won't be the last. From the Veterans Administration in 2006 to Heartland Payment Systems in 2008 to Sony in 2012, the cybersphere is littered with incidents in which a single breach affected millions of users.

In virtually all of these cases, major, successful businesses created huge stores of sensitive user data -- and then failed to secure them properly. In many cases, they built databases with the value and attractiveness of Fort Knox on the back end and Web applications with the security of a Wal-Mart revolving door on the front end. It's mind-boggling.

What's surprising is not that there were vulnerabilities in these systems and applications -- few come out of development without flaws these days. A study published earlier this month by Cenzic suggests that 99 percent of all applications contain vulnerabilities.

What's surprising is that organizations that maintain such huge stores of valuable data don't do more scanning, penetration testing, and vulnerability assessment of their systems on a regular basis. The 2013 Verizon Data Breach Incident Report, posted two weeks ago, indicates that most breaches are still found not by the victim organization, but by a third party.

If you are Mom and Pop's Grocery, then you might still be a target for cybercriminals. But if you are NASA, Google, McDonald's, or General Motors, you can *bet* on it. If you are a business that holds millions of users' personal data, you can count on constant attacks, ranging from hobbyists to the Russian mafia. If you are visible and successful, you will be attacked.

With this in mind, it's important for companies that maintain valuable data stores to take precautions. LivingSocial.com helped itself by storing passwords in an encrypted form that was both salted and hashed. In the end, it might have helped itself even more by conducting constant vulnerability scans, pen tests, and risk assessments, even on production systems. It's not enough to test before deployment -- you have to test after your systems and applications are deployed as well.

Big-game hackers, like the famous thieves and bank robbers before them, are going to keep looking for the big score. If you happen to have such a score in your enterprise, you'd better be thinking about what you're doing to stop them. If you don't, you might very likely be the next big headline. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
5/27/2013 | 2:56:28 PM
re: Big Data Makes A Big Target
I have to agree that
in order to keep your security systems up to date they must under go personal
penetration testing to see what their threats and vulnerabilities are. I have
to further say that if you are a large company then you must go through these
tests in order to ensure the security of your users data. I still say even if
you are a small mom and pop shop you should do a little homework in regards to
maintaining your own security. LivingSocial at the very least was smart enough
to encrypt the passwords, so the attackers were limited in some source.

Paul Sprague

InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3407
Published: 2014-11-27
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9.3(.2) and earlier does not properly allocate memory blocks during HTTP packet handling, which allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCuq68888.

CVE-2014-4829
Published: 2014-11-27
Cross-site request forgery (CSRF) vulnerability in IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allows remote attackers to hijack the authentication of arbitrary users for requests tha...

CVE-2014-4831
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to hijack sessions via unspecified vectors.

CVE-2014-4832
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to obtain sensitive cookie information by sniffing the network during an HTTP session.

CVE-2014-4883
Published: 2014-11-27
resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?