[larrys]

What bothers me are things like this which appear to be marketing messages aimed at CYA types or to simply lather up grandpa and the media:

"The threat of people getting into our systems today is so great that every company in the world has to embrace the notion that not only are they going to get hacked, there’s a good chance hackers are already inside … and they just don’t know it."

...and this:

"This set of companies comprise a very interesting category because everybody’s going to get hacked, so now it’s just a question of how quickly we respond when we see odd stuff going on within the company."

Specifically "everybody" and "every company". [1]

The idea that "everybody" is going to get "hacked" reminds me of the early days of the internet when newspapers were confused by what a "hit" to a website was. Not only would they print whatever you told them but they didn't recognize that serving up a graphic file which created a log entry wasn't significant in the way they thought it was. So we can just change the definition of "company" to suit our purpose and goal.

The fact is not even close to "everybody" is going to get hacked at least in a way that actually matters. Correct me if I am wrong (you would know the answer to this better) but are there even enough bodies to take advantage of all the targets assuming they had the skills and motivation to break into the targets and do something with the information?

[1] Is this the Valley's idea of saying that they can define things in a way that suits their purpose in other words only what they think is a company is a company?

[crdb]

Well, customer data isn't stolen by actual hacking, in my experience it's humans.

So many companies, particularly younger ones, have zero interest in putting up barriers to access as the company grows because in the early days, everybody was trustworthy and "because bureaucracy bad". So all the customer emails, phones, addresses, birth dates (and, I'm guessing, in the US SSNs) routinely fly around in Excel files called something like "Order Metadata Report" and sent to 50 people in 5 departments each of whom has their own use for it (like counting customers). Judging by the Sony hack it's not just SMEs.

If you want to steal data from a company, just pay a student a few hundred bucks to take up an unpaid internship in marketing (particularly anything to do with emails or customer segmentation) and give him a USB key and teach him some VBA and basic SQL (making him useful for reporting). The interns always end up running the reports so have a lot of access, usually complete access - financial information is the only thing that's not shared around. More advanced companies have a shared database access built into the excel files with a single login for everybody which never changes (hello 300 angry users) so with a copy of this file, you have perpetual up to date information long after you're gone.

Then you try to stop them from doing this and the C-level folks will say something like "it's OK just this time" and "please stop slowing us down". Most of them will be gone to the next thing by the time the black swan lawsuit hits - if there even is one. How would customers know? Why would they care?

Cf http://xkcd.com/538/ and http://www.commitstrip.com/en/2014/10/28/security-checklist/

[aragot]

So genuine question: How should one manage their marketing intern so data doesn't leak?

[crdb]

Well, the simple answer is don't have marketing interns. Really, you should not have people in the company manually doing work that could be automated in minutes - I've even seen people manually do joins (yes, two Excel sheets open, look up one product manually on the right, copy the value over on the left, next product, next, next...). It's bewildering that tech companies who should know better and who have people who know better still insist that there be people who day in, day out, 6 hours a day, process files by hand.

Next best thing is to sanitize your data; hash any personal information like emails or phones, take a day or two to build a rudimentary BI database that has sanitized information on it before giving people access, use work emails to manage access to everything and log it (my team built https://github.com/zalora/sproxy for this purpose), silo access, teach people SQL, and so on.

But honestly, to most management teams security is dead last on the list of priorities; it's just another tail risk that probably won't happen, if it happens it doesn't matter that much, doesn't cost that much, and there are a thousand other things on their mind like growing the company which are more important ('compliance is for when we'll be profitable' or 'we're not a bank, it's ok'). You can't do very much when working in such a company.

[freehunter]

The idea is that you shouldn't focus on making yourself "unhackable", because that is not possible. It's not possible to have 100% security. A skilled and determined attacker will likely get inside to some extent, even if it's just malware or access to an old unused server.

The point is to make detection and remediation important parts of risk management as well, not just prevention. Prevention is spell check, it's not always going to catch everything. Because the reality is, anyone (to your point, not necessarily everyone, but certainly anyone) can be hacked. Rather than focusing exclusively on a hard crunchy shell, make sure you can detect someone already inside and lock them down when you do. Corporate security needs to be right 100% of the time. The attacker only needs to be right once.

But yes, it's certainly possible that everyone can be hacked, and for certain definitions, it's completely likely that every company will or has been hacked (if you include malware, and information disclosure). How much malware is on your network that you don't know about?

[ironchef]

Couldn't the view simply be one of pragmatism? That one can't ONLY focus on prevention, but look at the full lifecycle of prevention, detection, response / remediation, etc.?

Kind of an electronic view of "it won't happen to me"?

[walterbell]

Assuming it's not everybody, are consumers/enterprises equipped with the risk management and actuarial tools to assess and influence their chances of being attacked?

[ironchef]

"Assuming it's not everybody, are consumers/enterprises equipped with the risk management and actuarial tools to assess and influence their chances of being attacked?"

I think those are separate questions. Consumers largely are not.

Enterprises are getting wiser on the risk management side and are starting to use things like "Factor analysis of information risk" (FAIR) to create a framework around the effect of various incidents. Assessing chances of being attacked quantitatively is probably much more difficult than influencing their chances of being attacked (which includes the various best practices tptacek alludes to such as firewalls, having a SOC, utilizing proper controls, AV, etc. (the implementations of the S&S 8 principles.))

As to chances of being attacked, I think it could be examined similar to something like a health issue. What are my chances of getting cancer? Well, I can read the literature and follow behaviors which should reduce my chances of getting it (in the risk world that would things such as using antivirus, not sharing passwords / SSNs / etc in plaintext, over the phone, etc.); however, I should also be preparing for what do should I contract cancer.