Thursday, December 11, 2014

Your Reputation after a Data Breach.

Whether you asked for it, had an active hand in making it, or even acknowledge it, you have a reputation. It can be built up, blown up, and is blended from both fact and fiction. It is a wild beast that is only tamed in the way an adult grizzly plucked from the forest can be tamed. Despite all volatility and fragility you must manage it as best you can, because when your reputation takes a hit the foundations of success begin to shudder.

A company's reputation is the same. After Target's data breach one year ago, their customer satisfaction and service reputation stayed in decline for many months after. S&P cut target's credit rating due to the breach's bigger than expected impact on traffic and sales. Their profits dropped 46% in Q4 of 2013 and their CEO was ousted five months after the breach went public.

There are plenty of tangible costs when a data breach occurs: lost productivity, forensic investigation, technical support, system availability, compliance and regulatory failure. Much of these costs, while significant, are manageable to an extent when the breach is kept under wraps. When word of a breach crosses over to the consumer side, the final tally of damage and cost is unpredictable. 42% of breached companies lost customers and business partners. 46% of a breached company's clients would no longer recommend the organization.

Companies like Sony, Home Depot, P.F. Chang's, Staples, Michaels, K-Mart have all been targets of data theft. Their damaged reputations will recover over time but the repair costs are significant. A Ponemon survey stated the average damage done to a brand ranges from $184 to more than $330 million and, at best, brands lost 12% of their value after a breach.

Every company needs to do more to keep their reputation secure. While some data breaches will be physical blunders, many of them will be malware forcefully or welcomely entering the network. Defence Intelligence helps their clients keep their data and their reputation secure with their advanced malware protection services. Take a look at what we can do to help. Don't be the next victim.

Thursday, December 4, 2014

The most interesting DDoS ever?

Those of you outside of Canada may not have been following this story, but you might want to as this one seems to have it all:

  • Accusations of police ineptitude and overreach
  • Listening devices
  • Claims and counter-claims concerning Anonymous
  • Twitter sparring
  • Social engineering
  • Multiple DDoS attacks
  • Bureaucratic boilerplate statements aplenty

The abbreviated story goes something like this...

An Ottawa teenager is charged with 60 offences related to ‘swatting’ various targets across North America. Hacker claims to have proof that said teen is innocent - identifies another as the culprit.  Hacker contacts family of the accused and the media.  Listening devices apparently discovered at suspects home.  Hacker takes down city, police and court websites to bring attention to the case.  Officials assure the public that no data has been breached, but that hacker managed to get password from service provider via phone.  Hacker continues to post via social media, promising proof.  Father of the accused now says he is a ‘person of interest’ in the case.

We’ve seen hundreds of ddos attacks in the news over the years, and thousands of them in the security community.  They usually aren’t all that noteworthy and barely get a second glance.  The attacks in Ottawa and Canada over the past couple of weeks are rather unique, however.  You can catch up on the saga via:

Thursday, November 13, 2014

SecuriTea Leaves (Part Three): Future 2

The new Internet is one of openness and perpetual unfiltered documentation, not privacy and selective sharing. What impact will that have on the future of security, when the need for privacy lessens? If our dying generation is the last one concerned over privacy, what motivation is there for security enhancements?

In this series of posts I describe the possible futures of the privacy plate shift we're riding right now and how it relates to the landscape of security.  See SecuriTea Leaves Part One for more detail.

Future 2. No privacy. Strong persistent security. Teleportation a maybe.

This future shares much with future 1 and is possibly just a stepping stone on the same trail. Like future 1 this world has voluntarily given away its privacy, leaving little of ones life out of public view. What differs here is that individuality is still very important.

People won't mind if their emails are made public. They just won't want someone speaking for them using their identity without permission. A person won't mind being one voice amongst millions, but they will still desire the likes, the lols, the smiles, follows, ratings, and promotion. In this future every picture you take is immediately uploaded to the cloud, (now a shared international database), using facial recognition to automatically tag you and all your friends. Every step you take is logged, every purchase you make is known, each entertainment choice is tracked and it has your name on all over it, but the phrase invasion of privacy never crosses your mind.

This future requires significant security to maintain. To protect the integrity of the data for the individual, identification verification security and general information security becomes very important.

For security of identification there will have to be multiple checks, a verbal password with constant retinal presence. A perpetual presence indicator (PPI) is what maintains validity of the person to the action. If you're not looking at what you're creating, or if the eye isn't yours, then the access is cut off. Security of the information itself will be difficult, keeping it both open but safe from alteration. Security priority here is not to keep it from public view but to keep the relationship of author to text or action valid.

This trust of the person-to-action relationship is most impactful and relevant with banking transactions, and that's where both the consumer and industry will want to position a mutual fulcrum and where this future has its genesis.

At some point, in the not too distant future, banks will no longer foot the bill for every purchase on a stolen credit card or money transfer made with stolen login credentials. They will turn the responsibility back to the consumer.

"Protect yourself, because we won't."

People might then be a little more cautious when using their cc online or they might embrace encryption or additional personal security options, but it is more likely people won’t voluntarily change their habits at all. Security changes will have to be forced on them.

Banks will effectively pass the buck, requiring a user of their online services pass several security requirements in addition to the PPI (AV, non public wifi use) before being allowed access to their own accounts. If you don’t qualify, you don’t get in. Retailers won’t rush to join this security revolution but it will be forced on them as well. The banks will require new security regulations of payment processing groups to guarantee the validity of the end user which will then trickle changes into the entire online shopping experience.

With so much awareness of you and your actions, this future world is incredibly personalized. What lives now as targeted ads and improved directions to your home will be mood based music selection, automatic grocery list creation, calendar planning (including television viewing, exercise schedule, and party attendance responses). Decisions will be made for you and they’ll be the same ones that you would have made. Doctors send prescribed medicine to you without you visiting them or even knowing you have a problem. Spending habits are so guided that budgets don’t factor into the purchases. Each day is laid out before you. Life becomes a big to do list.

Do you think this is a possible future? Thinking about this future as a complete world, what doesn't fit or what did I miss? Could this idea of a PPI provide enough assurance that an action or data transfer/creation was made by a certain user? Can data sharing ever be really secure, especially when databases are linked? Does taking away choice make life easier or happier, or do we need the chaos and uncertainty to be people of substance?

Other posts in this series: SecuriTea Leaves

Part One: The introduction
Part Two: Possible Future 1