Christopher Booker’s The Seven Basic Plots is a Jungian-based confirmation that fundamentally, all plots fall under seven formulaic categories:
Overcoming the Monster
Rags to Riches
Voyage and Return
I gravitate to the last two categories. My Netflix queue can attest to this, if you discount the copious “Thomas the Train” videos requested by my preschooler. I love movies where I can get inside the head of the villain and learn what makes him tick. You know the ones…“Catch Me If You Can” (good movie, even better book), “Burn After Reading”, and even oldies like “The Sting”, and “Butch Cassidy and the Sundance Kid”. Quentin Tarantino has a knack for writing these kinds of movies. I guess perhaps he and I share a common bond of working at a long since folded video rental chain making $4.35 an hour slogging through VHS tapes. His films give me the chance to walk a mile in the moccasins of the villains, and part of me hopes that they come out on top every time.
I also enjoy striding a moccasin clad mile with the hacker community. As I mentioned in a previous blog post, I recently hung out with a group of hacktivists in San Francisco. I believe they are wired differently than most folks in that they take immense personal pleasure in nonconformity to the extreme. The hackers I know always question the status quo, and are often the first to show the absurdity of societal norms. I admire that…to a point. Perhaps best stated by Oliver Wendell Holmes, “The right to swing my fist ends where the other man’s nose begins”.
Many of these folks gathered recently in Las Vegas at Defcon 18, and some responded to polling questions indicating how they might find the lowest hanging fruit in targeting a breach. According to an article in net-security.org, “The poll revealed that 73% came across a misconfigured network more than three quarters of the time – which, according to 76% of the sample, was the easiest IT resource to exploit. Results revealed that 18% of professionals believe misconfigured networks are the result of insufficient time or money for audits”.
“Automating configuration and security management is the best way forward to solving this problem”, says Reuven Harrison, CTO of Tufin Technologies. Further, an increasing number of self-described black (11%) and grey (46%) hat hackers have landed corporate security positions. So the days of the John Wayne movie where it is easy to tell the good guys from the bad are over.
Sure, audits cost time and money, but the audit costs are not the only security expense. The true cost of compliance, as Larry Ponemon points out in his report, includes those and other compliance costs (technology, incident management, training, etc.), as well as the costs of non-compliance, both direct (fines and penalties) and indirect (business disruption, productivity, goodwill, etc. costs). The full details can be found here.
Which brings us to the Sony Playstation/Qriocity breach. According to a Network World report, Shinji Hasejima, Sony’s chief information officer, offered “The attack was launched from an application server that sits behind a web server and two firewalls on Sony’s network. It was a very sophisticated technique that was used to access our system”. Further, the wolf in sheep’s clothing was disguised as a purchase, so wasn’t flagged by network security systems. “It exploited a known vulnerability in the application server to plant software that was used to access the database server that sat behind the third firewall”, said Hasejima.
“Automating configuration and security management is the best way forward to solving this problem” says Harrison. This is further substantiated in the Ponemon report, indicating “the lowest per capita non-compliance cost is associated with organizations that conduct five or more audits (per year)”.
Which brings me to some rather startling trends seen in the 2011 Verizon Business Data Breach Investigations Report. A few items that caught my eye:
- Record high breach events in 2010 with 761 (the prior six years totalled 900)
- Record low breached records with 3,878,370 records, only 2.7% of 2009 breached records – and a just over 1% of the peak loss count in 2008.
- Higher value kinds of records breached. Credit cards dropped (perhaps because they are not worth as much on the street?), while higher-value, records are up nearly across the board.
So where does this leave us to prognosticate over the next of nest of network nuisances? What is your guess?
Now that I think about it, my Netflix account is accessed through my Wii…
Catch me on Twitter @Blenmark
*Of special note, these thoughts were inspired by a recent conversation between Josh Corman of the 451 Group and a group of my peers on April 27th.
Sony PSN Breach Fits Same Trend Seen in 2011 Verizon DBIR by @jonspeer
Is Sony’s PlayStation Breach a Zero-Sum Game? by @Blenmark