The bad news is that a bunch of the Good Guy troops in the trenches are draftees. They didn't sign up for Information Security, they're IT drones that are told to do it. Or worse, they're not even in IT, they're in data entry or customer support.
That is the starting lay of the land, which will help to clarify just why we're losing so badly. For example, one of the Big Three credit agencies gave open access to an identity fraudster:
In October 2013, KrebsOnSecurity published an exclusive story detailing how a Vietnamese man running an online identity theft service bought personal and financial records on Americans directly from a company owned by Experian, one of the three major U.S. credit bureaus. Today’s story looks deeper at the damage wrought in this colossal misstep by one of the nation’s largest data brokers.How did this happen? Well, it didn't involve any l33t h4X0Rz:
Last week, Hieu Minh Ngo, a 24-year-old Vietnamese national, pleaded guilty to running an identity theft service out of his home in Vietnam.
Posing as a private investigator operating out of Singapore, Ngo contracted with Court Ventures, paying for his access to consumer records via regular cash wire transfers from a bank in Singapore. Through that contract, Ngo was able to make available to his clients access to the US Info Search database containing Social Security, date of birth and other records on more than 200 million Americans.He bought access to the data, using money he got from identity theft. Since selling access to data is Experian's business model, this is pretty much assured to be happening all over the place.
Oh, and remember that line: and other records on more than 200 million Americans. That was your data.
But it doesn't seem to help to have a business model that relies on security. Target got hacked, and information that's coming out suggests that it was a rookie security mistake made by their CIO, keeping security under her duities:
That's like having the financial auditors reporting to the CFO. The financial auditors are there to check up on the CFO, and that's the reason that most companies have a CISO reporting directly to the Board of Directors. Target's IT was well funded enough, it just wasn't focused correctly. Target may not have been in the minority as far as companies, either.
But it gets even worse. What if your company could go bankrupt if your security were bad? Wouldn't you pay very close attention? Some people didn't:
Yet another cryptocurrency has come forward and admitted that security and system problems have led to customer funds being pinched by hackers.Millions of dollars worth of Bitcoins were stolen by hackers. With Bitcoin, there is no physical object (that's the whole point), and so this is really electronic bank robbery. All the security problems are digital. The people involved know this, and we should assume that they are all very competent and very well funded.
Poloniex, a Bitcoin trading post similar to Mt. Gox, has lost 12.3 percent of the Bitcoin stored in hot wallets on the website. However, in stark contrast to how Mt. Gox CEO Mark Karpeles handled his company's Bitcoin losses, the owner of Poloniex, Tristan D'Agosta -- a.k.a. Busoni -- admitted to the loss and asked users how they would like to be compensated.
In a forum post, Busoni said that a hacker took advantage of a processing flaw in the Bitcoin exchange post. When users submit a withdrawal request, the input is checked against your balance, deducted, and the new amount recorded within a database. However, it was discovered that placing several withdrawals all in practically the same instant meant each request was processed at more-or-less the same time, resulting in a negative balance but "valid insertions into the database, which then get picked up by the withdrawal daemon."
The still got robbed. And they were the third Bitcoin exchange to get hacked.
And so we're seeing a more or less complete failure of security, whether it's low level people getting scammed, or Fortune 500 mid-organization, or the impossibility of very good people being human and not closing 100% of all possible bugs.
The implication is that security failure is a cost of doing business. The IT Security budget needs to have a line item for expected legal payout to settle potential lawsuits.