Prairie Trail Software Newsletter Archives

A Consultant's View

Prairie Trail Software, Inc. ............................................................. October 2005

40 million Card Numbers Hacked

Laptop Lost with Information on Millions of Federal Employees

When Microsoft provided easy to design web interactions with Access, they also provided an easy way to lose a lot of money. These databases are vulnerable to web attacks, and a fresh system has about 5 minutes before the first attack starts.

But, most web attacks are not detected— their goal is to gain information: Does this system have any data that is worth taking, or can it be hijacked to run some other data, files, or service?

The incident with CardSystems Solutions, Inc. is typical. Nobody at that organization knew that they had been attacked until the data was being used fraudulently.

So what is the cost of not worrying about security? Visa and MasterCard have instituted programs to impose 50 to 100 thousand dollar fines for each breach of database security. CardSystems is facing shutdown and bankruptcy.

Although security details are best left in the hands of the technical people with that bent and interest, the rest of security has to be a top level concern. Normally, after a well publicized database hacking, we hear about making sure passwords are secure and network settings are correct. But focusing on the technical is misfocused.

Jim Settle, former head of the FBI Computer Crime squad, said about all the efforts on computer security... “’It won’t work, duh!”

Huh? The assumption that a "secure" computer system can be built is too often based on ideas like: "We can build an organization where people will change their passwords every 90 days, not use common words in the password, and remember what they changed them to (without writing the new password down)." Riigghhtt. "People will do exactly as we want them to"... is a bad assumption

When any group of people is supposed to be following instructions, somebody in that group won’t. An army general once stated that he knew a certain percentage of his troops had to be watched, and that another percentage were criminals. Any system he designed was built around that knowledge. Similarly, any data protection has to be designed around how people operate, not how they should operate.

Security is a process. That means that security needs to be based on behavior, not technology.

Although, we have to keep up with the technology of the attackers, it is time to think of not if someone will try to hack our systems, but when they do.

Plan so that when your systems are hacked, the hackers don’t get much. Consider the human side of the system as much as (or more) than the technological side. For example, in the CardSystems case, the main database wasn’t hacked. It was a “small” database that had been built by one person to do some testing.

Several of our customers are planning databases of sensitive information, like check images. Many are planning on using SQL Server. That’s a good choice. SQL is a cost effective and stable database—and as you are reading this many a hacker is seeking out new holes in it. That means that our customers have to have someone whose job it is to keep up to date with security announcements.

The point is not the database, nor the OS, but the need to have someone whose job it is to keep plugging the holes.

Plan around the concept of layers. If you walk into a bank, you can get to the teller without any problem. If you want to get to the safe deposit boxes in the vault, you have to pass through a layer of security. If you want to get to the data center, you have to pass a much more stringent security level. In some cases, you have to empty your pockets, leave your ID with the armed guard and be escorted into the visitor’s room and no further.

Separate data. The wealth of our information is not just the data, but also the relationships between the datum*. If that last batch of hacked credit cards had been stored in parts spread over different systems with different passwords, what value would the hacker have gotten out of hacking one database? Half a card number can’t buy anything.

Security has to be designed around people. That means that the organization has to have layers of people who are in the know and others who are not. It has to consider who has, and does not have, access to the data as well as how to access it. It has to consider how people join and leave an organization. And it has to consider how people will break the rules, and how to deal with rule breakers. It has to be simple, well designed, and enforced or people will work around it.
*I always wanted to use the singular form of ‘data’, I finally got my chance — the editor

Dave Randolph,
President, Prairie Trail Software

Back to 2005 newsletters
Back to newsletter main page

Back to Home page