The 2014 Verizon Data Breach Investigation Report shows that espionage is the fastest growing motive for cybercrime.  Financial motives have declined over the same period at about the same rate.  I’d argue that espionage is ultimately linked to financial motives.  Either corporate or government espionage is about having political, military or trade power.  Money is inextricably linked to all three.  Hacker groups are being formed by governments and organized cybercrime syndicates across the globe.  They are well funded and have clear targets.  Information security is going to become the next “theater” in which we fight wars.  Are you ready?

Brian Krebs at KrebsOnSecurity is reporting that the P.F. Chang’s breach began in 2013 and went on for nearly nine months.  I’ve talked about this issue in the past.  Information security breaches are only going to continue to explode.  They are getting more complex and are being targeted at organizations for specific reasons.  Systems are going to be hacked every day.  It’s not going to slow down or get any easier to defend against.

The problem is that these hacks weren’t being discovered when they were unsophisticated and noisy.  Why?  Organizations simply aren’t looking.  Many of these attacks could be discovered if security event logs were being monitored routinely.  The reality is they are not.  Systems are hacked.  The events and logs are there.  Nobody is watching.  Hackers 1 – Victims 0.  Are you keeping score for your organization?

If you manage an information system you have to plan for “the event”.  The event will come when you least expect it.  It will come from a place you didn’t even know existed.  It will happen when no one and everyone is looking.  What is this event?  It’s the day you get hacked.  Actually the system will probably be hacked multiple times over its lifespan. 

Some information security events will be worse than others.  Some will happen on the inside while others from the outside.  The question really is not if you’ll be hacked, but will you even know it?  We’ve been involved with many information security breach investigations where the systems have been compromised for months.  The warning signs were there.  Sometimes they were flashing neon signs with air horns.  If you’re not looking and listening you’ll miss those signs and alarms.

Read more: Why Security Information and Event Management (SIEM) is an Essential Security Tool

It’s been a while since I touched on this subject but it has come up during a number of audits and information security investigations the team at Integrity has been a part of over the past few weeks.  Egress filtering is a basic principle that should be implemented at every organization to prevent hacking activity from leaving your network.  Granted, you can’t stop everything, but you can at least try.  True information security is based on incremental success.

Here’s how it works.  We always do ingress filtering.  That is, we only allow trusted and known traffic into the firewall from the internet.  This traffic is typically allowed into a DMZ and then traffic from the DMZ is allowed through to the internal network.  This traffic is allowed only from selected IP addresses and specific ports.  Everything else is blocked.

Read more: The Importance of Egress Filtering at the Firewall

If you’re one of the 145 million eBay users who was notified to change your password after a security breach was discovered, raise your hand.  If you were affected by the Target breach, raise your hand.  Michaels breach?   The hack on Iowa State University?  The University of Northern Iowa’s information security breach?

I think you’re starting to see the trend here.  Iowans typically think of themselves as living in a safe community.  Even the capital city of Des Moines has low crime rates when compared to many other areas of the country.  I still know people who don’t lock their doors or leave keys to the car on the seat with absolutely no thought that they’ll be a victim of crime.

Read more: Cybercrime Hits Home - Even in Iowa

eBay has a long history of taking information security seriously.  In 2003 they hired Howard Schmidt as their CISO.  Mr. Schmidt is considered to be one of the leading authorities on cyber security.  He led Microsoft’s effort and served as the head of cyber security for both President George W. Bush and President Barak Obama. 

I have no doubt that Ebay has a very robust and mature information security program.  Still, they were hacked.  You can read their statement here.  Is this the new norm?  Are we becoming numb to the events?  It’s like living in another part of the world where physical violence is a part of everyday life.  Do we simply learn to deal with it

I don’t think that’s the answer.  When organizations that take security seriously are breached on a regular basis, something needs to change.  The way we do business; the way we store data; the expectations we have on data custodians; the punishment we hand down for criminals.  Something.  Everything.  Change is needed.

Iowa State University reported an information security breach yesterday.  Officials stated that 5 network attached storage (NAS) devices were hacked.  These devices were departmental devices and used to store social security numbers for students who took certain courses between 1995 and 2012.  You can find out if you are impacted at this link.

I’ve read through the official statement and there are two issues which are concerning to me.  The first issue is why the individual departments had a need for student social security numbers.  SSN has not been allowed as an identifier by most colleges in Iowa for over two decades.  The student ID number replaced the SSN.  I was a CIO at a community college in Iowa more than 10 years ago and the SSN was not used as an identifier.  What was the purpose of the initial request for these social security numbers and why was it stored for so long?

Read more: 5 Network Attached Storage Devices Hacked at ISU

Contact Information

Birmingham Office


Des Moines Office


Kansas City Office