I'm sure many of you are aware by now of the data breach at monster.com, which not only affects monster.com users, but also the subsidiary that serves the military, called Military Advantage. Also affected was usajobs.gov (I think I got that right).
As of yesterday Monster could not figure out the extent of the breach and the depth of the data theft (meaning, what kind of data - how granular). But it does appear that names, email addresses, and other such common information were uploaded to a rogue server, which M.com shut down once they figured out where the siphoned-off info was actually going.
They are not able to trace the hackers yet, but I'm sure they're working on it. I'd say they better get the NSA and other such people involved - that's the only way to use the government's brute power to get to the bottom of this mess.
How does this affect most people? One of the main, potentially dangerous, ramifications is that users may be subject to blackmail. Not only that, but knowing most details about a user, including possibly home address, the hackers could initiate the infamous 'Hit Man' scam, where random people got mail that they're on a hit list and if they didn't send a certain amount they'd be killed. Very few people fell for it (from those who actually came forward to report the embarrassing incident) but I'm quite sure a significant majority kept quiet.
So, the same thing could happen here; think about the millions of records that were probably taken, and if you assume that only 1% responded to the blackmail, that's still a very large amount of money for the taking.
Where does the responsibility lie in this case? No question at all -- it's with the CISO if there is one; if not, the COO and CTO.
It's really remarkable that a company such as M.com, which has the trust of millions of job seekers, could not figure out the problem early enough, which would have saved a whole bunch of people a whole bunch of problems.
You also have fake employers posting ads wanting people and then scamming money out of the gullible, or even the street-smart ones. I don't want to sound as if M.com is not a good place to further one's career interests, but I'm still a firm believer in networking - PHYSICAL, human networking.
You know why bin Laden has still not been caught? Lack of humint (human intelligence), that's why. I was reading a very nice article on Newsweek that talked about the hunt for this insanely elusive mass-murderer, and they cited how he uses money as well as punishement (the old carrot-and-stick approach) to get his way and evade the technological might of the most powerful nation in the world.
What does this have to do with data breach? Well, who commits these acts? Not a self-learning, self-aware machine like HAL in 2000: A Space Odyssey (although that's not difficult to do), but HUMANS. It's people like you, like me, like us, who indulge in such nasty acts of damage and destruction.
It's impossible to prevent it (just read about the most current hacking controversy, that China's military is behind the hacking of Pentagon - and UK military's - computers). In this age, data is king; but information is the emperor. Getting random bits and bytes won't accomplish much, but it's the intelligence that puts those bits and bytes together that causes the real damage to the data ecosystem.
Certainly, precautions MUST be taken. All kinds of anti-hacking software should be installed, and users (usually the weakest link) MUST be educated in depth. I've repeatedly stressed the power of education on this blog, but I'm sure nobody at such data-sensitive companies including the government - neither management nor employees - take it seriously. You cannot change such a mindset overnight, but you can certainly take a stab at it.
How?
a. Hire white-hat hackers (Especially a Certified Ethical Hacker) so they can form tiger teams to hunt down vulnerabilities (remember Kevin Mitnick?)
b. Perform vulnerability scans as often as possible
c. Keep AV/Anti Spam/Anti Malware etc software updated to the latest version
d. Educate, educate, educate your employees and raise their awareness to the imminent threat that is the WWW
e. Isolate weak machines (those with vulnerabilities and either fix them or take them down)
f. Have an internal email system and an external system, so even if the external is compromised (which at some point it will) it won't shut the company communciations down. There should be a clear demarcation between the two, and they should NEVER mix
I could go on forever, but I need to stop before this becomes more than a blog and ends up a novella!
Be safe!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment