Cyber Defense Review

Our Data is Not Secure

By CPT Blake Rhoades, MAJ Jim Twist | October 28, 2015

Our data is not secure. That is the attitude you should take when interacting with providers online or when providing data at a point of sale. We must take the position that important personal data will be compromised at some point and we should therefore be prepared to enact a plan to reduce our vulnerabilities from its loss. According to the 2015 Verizon data breach report, there were over 2100 confirmed data breaches (pg5). These malicious attacks are conducted against the full range of providers that we all interact with, to include health insurers, financial institutions, educational institutions, and specialty services.

There is an underground economy that supports the theft and re-sale of records in bulk. In our view, data compromise is now pervasive and we are collectively at increasing risk from multiple exposures being found in several different data sets. Consider some of the more high profile data breaches this year; Snapchat 4.5 million names and phone numbers, eBay database of 145 million users compromised, Sony Pictures, OPM databases containing 22 million detailed records, Excellus Blue Cross Blue Shield 10 million records of PII, Scottrade 4.5 million records. T-Mobile/Experian 15 million records, UCLA Health 4.5 million records, Army National Guard, 850,000 records. The lists go on and on. Think about all the business that we do online, large and small. We don’t even hear about all the breaches that happen on a continuous basis. The Identity Theft Resource Center is (www.idtheftcenter.org) just one source listing the exhaustive compilation of these breaches.   According to the Ponemon Institute, data breaches cost our economy $1.377 billion with an average cost of $217 per US record.

While there is strong economic incentive for the bad guys to steal large amounts of data and use it for fraudulent activities or for re-sale on the dark web, there are strong trends working to our disadvantage in the IT security sector. Here are some of the trends as identified by Mandiant, a security company from their report M-trends 2015, A View from the Front Lines. Organizations are reluctant to come forward with disclosure, as public attention exacerbates their lost business (69% of businesses are notified by an external agency). On average, a malicious actor is present in a network for 205 days before being discovered. That increases the time we are vulnerable and negatively impacts our ability to react to the breach. Compounding these issues are organizations reluctance to upgrade their IT infrastructure appropriately. It is a business decision for them. If they can make more money using old technology, they are much more likely to provide stopgap measures rather than modernize and secure their architecture. As the bad actors get more sophisticated, it becomes like child’s play to steal huge amounts of data, whether it’s Personal Identifying Information, Credit Card Numbers, Health Records, or Fingerprints.

Here are some shocking statistics from a prominent security provider. According to a 2011 Norton/Symantec study, the cost of global cybercrime was $114 billion annually1. With 431 million adult victims globally and at an annual price of $388 billion globally cybercrime costs the world significantly more than the global black market in marijuana, cocaine and heroin combined ($288 billion).3 According to the Norton Cybercrime Report 2011 more than two thirds of online adults (69 percent) have been a victim of cybercrime in their lifetime. Every second 14 adults become a victim of cybercrime, resulting in more than one million cybercrime victims every day4.

Take the attitude that your data is not secure online. Be prepared to take action when you become aware of a compromise. Know who to call. Use the resources available from Personal Security Providers, US CERT, and others to limit your exposure and strengthen your online presence. Phishing is still the number one means of compromising organizations and personal systems. It’s your data.