Since the first cavemen planned their first theft of fresh meat from a rival tribe, the bad guy has always looked for the big score. From Jesse James to John Dillinger to Willie Sutton, there have always been those who hunted the big game.
The world of cybercrime isn't much different. While there are plenty of hackers who make a good living cracking small business accounts or stealing individual identities, the most ambitious attackers prefer a challenge. NASA. The White House. The National Security Agency. And it's hardly a surprise to hear that hackers are taking plenty of shots at today's golden gooses of user information: Facebook, Twitter, and Google.
With all of this as backdrop, it constantly amazes me that large, hugely successful organizations still often fail in their efforts to preserve databases of hundreds of thousands -- sometimes millions -- of users. How can such enormous volumes of data be compromised?
This weekend's breach of 50 million customer records at digital deals site LivingSocial.com is just the latest of many "big scores" registered by attackers during the past few years, and it won't be the last. From the Veterans Administration in 2006 to Heartland Payment Systems in 2008 to Sony in 2012, the cybersphere is littered with incidents in which a single breach affected millions of users.
In virtually all of these cases, major, successful businesses created huge stores of sensitive user data -- and then failed to secure them properly. In many cases, they built databases with the value and attractiveness of Fort Knox on the back end and Web applications with the security of a Wal-Mart revolving door on the front end. It's mind-boggling.
What's surprising is not that there were vulnerabilities in these systems and applications -- few come out of development without flaws these days. A study published earlier this month by Cenzic suggests that 99 percent of all applications contain vulnerabilities.
What's surprising is that organizations that maintain such huge stores of valuable data don't do more scanning, penetration testing, and vulnerability assessment of their systems on a regular basis. The 2013 Verizon Data Breach Incident Report, posted two weeks ago, indicates that most breaches are still found not by the victim organization, but by a third party.
If you are Mom and Pop's Grocery, then you might still be a target for cybercriminals. But if you are NASA, Google, McDonald's, or General Motors, you can *bet* on it. If you are a business that holds millions of users' personal data, you can count on constant attacks, ranging from hobbyists to the Russian mafia. If you are visible and successful, you will be attacked.
With this in mind, it's important for companies that maintain valuable data stores to take precautions. LivingSocial.com helped itself by storing passwords in an encrypted form that was both salted and hashed. In the end, it might have helped itself even more by conducting constant vulnerability scans, pen tests, and risk assessments, even on production systems. It's not enough to test before deployment -- you have to test after your systems and applications are deployed as well.
Big-game hackers, like the famous thieves and bank robbers before them, are going to keep looking for the big score. If you happen to have such a score in your enterprise, you'd better be thinking about what you're doing to stop them. If you don't, you might very likely be the next big headline.