Security Blues [T-SQL Tuesday #56 – Assumptions]

2014-07-08 - General, Security


T-SQL Tuesday #56

T-SQL Tuesday #56 is hosted by @DevNambi (b|t).
This month's topic is "Assumptions".

Security Blues

due diligence

Excuses

When I recommend to clients to invest into their IT security, I often get to hear excuses:

  • We are too small to be of interest to anyone.
  • We don't have any data that is of interest to anyone.
  • Why would anyone want to attack us?
  • My clients don't have bad intentions.

All of them are based on the assumption that nothing will happen. And if you have been in business for a while and nothing has happened yet, you might feel that this assumption is indeed true.

The Anatomy of an Attack

No two attacks are equal. However, there are two main types of attack: The targeted attack and the drive-by attack.

The targeted attack is a game of "let's see if you can stop me". If someone is motivated enough, they will get through your defenses. However, that should not cause you to throw the towel just yet. Most targeted attacks are executed by disgruntled employees and therefore there is a fairly high chance that you are not dealing with an experienced intruder. A little bit of Due Diligence will get you far along the road to protection. (If it ever comes to a lawsuit, Due Diligence will also weigh in significantly in your favor.)

The drive-by attack is nasty. It is nasty because there was no warning sign and you were selected out of the blue. Or, were there warning signs? Wasn't there this security expert who told you a year ago that you really needed to close those gaps?

In a drive-by attack an intruder, often a so-called script-kiddy, is trying to find a target based on a specific vulnerability that he just happen to know about. Take for example SQL injection. Most websites and applications are vulnerable to it. In fact, injection vulnerabilities have been leading the list of vulnerabilities for years. (See for example owasp top-10.)
Because SQL injection is so well "established" in the wild, there are tools available that automatically crawl the web to find vulnerable sites. After a site is discovered that way, the attacker spends a little time to try to "get in". There are many reasons that drive this type of attacker, but often they are just looking for (questionable) fame. For that, the attacker has to publish proof of success. That proof can be a list of passwords or credit card or health related data. Depending on their sophistication, they might also delete all your data in an attempt to hide their attack. That action is based on the hope that if the database is gone, any audit logs are gone with it.

So, why is a company selected for a drive-by attack? Not because it has a lot of valuable data, but because it did not have a lock on the door.

Collateral Damage

If a breach in your system happens and you store any type of sensitive information like credit card numbers or health related data, the law in most countries requires you to make the breach public and in addition notify each affected person individually. This can potentially cost you a lot of money, but more importantly, it will cost you customer trust. The total cost of a breach can easily go into the millions. In fact, there have been many cases over the last few years that cost each affected company more than ten million USD. That makes the penalties look small (Penalties e.g. for credit card data related breaches in the US start at 100,000 USD.) But if you are a small business, such a penalty alone can cause your operations to crumble.

However, I would like you not to look at the impact that a breach might have on your business. I would like you to look at the impact that a breach has on your customers. If the breach involved "just" a list of emails and passwords, the impact can already be tremendous. If they act quickly enough, they just have to spend hours changing their password everywhere it was used (hint: do not reuse passwords). But if they did not react in time, the attacker might take over their email account and cause further damage from there. People that are affected by this easily have to spend days to get everything back in order.

If the breach involved credit card data, it might lead to identity theft, which can cost the victim thousands and will potentially take years to clean up. If health data is involved, depending on the circumstances it can even cause an affected person to lose her job.

While you might think that you can handle the penalties and costs, if something bad should ever happen, the effects on your customers, the very people that trusted you with their data, might be disastrous.

Now it is Your Turn!

Do not hide behind empty excuses. Do not assume that it will never happen to you. Instead, go and invest a little bit into your IT security. Remember, Due Diligence goes a long way.

Categories: General, Security
Tags: ,

2 comments
ThomasWMarshall
ThomasWMarshall

How do you go about quantifying those risks as specifically applies to a small business? While the costs of a credit card breach can reach $100k, this can be a named peril in a business insurance policy. How would you estimate the damages incurred if an insurance policy covers such fines, but has the potential to increase policy premiums? What about damage in the customer's eye? What is each customer worth? Is it what it would cost to win them back or the revenue? What are the odds of a customer switching subsequent to a breach?

@sqlity
@sqlity moderator

@ThomasWMarshall , Risk quantification is a difficult business. Insurance companies employ armies of mathematicians to get that right. (And then they counter-insure with other companies, in case they were wrong.) Risk assessment and management in a company falls under the role of the Security Officer. If you company is to small to have a dedicated security officer you should consider hiring a security consultant. 

There is no insurance out there that would pay for a penalty. The purpose of a penalty is to make the defendant painfully aware of his misdoings. A penalty insurance can therefore not be legal. 

Your remaining questions are kind of covered by my first paragraph. Just a general note: It is always a lot cheaper to keep a current customer, than to (re-)acquire one.