As just about everyone who reads the news knows, Google announced on Tuesday, January 24, 2012 that it would merge the data it collects from individual users across all of its properties starting March 1, 2012. Basically, Google will be able to better anticipate how to direct individual user activities to best serve their needs, building a grand database of all user activity and behaviors. The question that few are asking, though, is what the impact will be on businesses. That's where things get really complicated.
Organizations have a lot of cybersecurity challenges and the Federal government probably has it worst than most. It represents a highly visible target, presents a huge attack surface, and maintains some of the most valuable information on the planet. To the modern hacker (state-sponsored or otherwise), U.S. government systems look collectively like a huge walled-off fresh water lake in a desert full of thirsty people.
Having spent nearly my entire IT career supporting the Federal government, I would argue that cybersecurity is only a tough puzzle to solve when your trying to force the pieces into the wrong places. Rather, in my experience, the government tends to be deluded into seeing the cybersecurity picture as something different than reality. That's not to say that there are no good people in government cybersecurity. There are. But, those people lack the tools and access to make much more than baby steps in progress, and are often supported by security practitioners who depend too much on ineffective practices that they defend as "leading."
I attended a series of web meetings over the past two weeks for the Federal Advisory Committees (FACAs) under the HHS Office of the National Coordinator for Health Information Technology. After listening in to the public Privacy and Security standards working group, I became a bit frightened by how legacy thinking around information security continues to leave us vulnerable to general mischief. The IT industry needs more innovation than we're receiving, especially with regards to the protection of our personal information.
Last week, I presented an argument for why the new SEC cybersecurity disclosure guidance is really a big deal for the information security community. If my prediction is right, then publicly-traded companies in the U.S. are going to start facing auditor requests for more cybersecurity information by late next year. Companies need to start preparing for those requests now to prevent potential negative shareholder action in the future.
In my posting How Hacker Targets Become Victims, I implied a little secret about the information security industry regarding the tools that we've come to believe are absolutely necessary. They are not as effective as you typically think they are. In fact, many are slowly sucking us dry without providing much valued in return.
In my previous post How Hacker Targets Become Victims, I examined a common Man-In-The-Middle attack that hacker organizations are using today to steal from various types of organizations. An "Attacker" gains control of a target computer system, and then hijacks the web browser once the target logs into the account, without alerting the target to the problem. It's an amazing attack because it completely bypasses most of the controls that the banks put in place to protect business accounts. The attack vector renders standard and multifactor authentication controls irrelevant and makes bank efforts to authenticate the computer system useless. What would happen if all of the sudden your organization were unable to make payroll because a hacker wiped the bank account clean the night before? As many of these organizations found out, the organization would likely be left to cover the loss themselves.