Bloggo back to the blog
Hacked off why data testing needs to get creative-->
Ever wondered who is behind the various breaches that have plagued the likes of, oh I don’t know, small outfits that you might not have heard of – Sony, Citibank, Google, Lockheed Martin and the International Monetary Fund?
Whilst no one is in the dock just yet, an interesting piece from the BBC provides an insight from an analyst who lurks on hacker forums. And hackers are quite an interesting bunch…
The numbers are staggering – there are some 200,000 members signed up to one of the more popular sites but it is the breakdown of roles that these hacktivists play that’s fascinating.
• Researchers are the creative types, dreaming up and exploring new ways to exploit vulnerabilities in systems.
• Dealers rent botnets in order to extract sensitive data.
• Farmers take on the role of maintaining the botnets.
• And Crime Lords are those making cold hard cash from the data.
Although amorphous and fluid, the structure reveals an impressive break down of tasks, entrepreneurial flair and management know-how that the corporate world will recognise and even emulate.
Recently Dr. Tim Watson, head of De Montfort University’s computer forensics and security group, described hackers’ traits as both ‘creative’ and ‘precise’ and that’s a pretty worrying combination.
And there’s the rub. Researchers are ceaselessly creative and focused and if corporations don’t equal that, both they and their customers will continue to be vulnerable.
There is an inertia in large corporations that stymies the quick implementation of new thinking and new best practice. Change, when it comes, is often imposed yet companies talk a good game when it comes to ’embracing innovation’.
Corporations also talk about ‘stealing the advantage’ over their competitors but more often than not, there are measures they can take to put their own house in order that will serve their customers’ interests best in the long-term.
I met a consultant who works with a very large corporation that I won’t name (but it may figure in the list at the start of this piece…) who talked about the urgent need for companies dealing with sensitive customer data to ‘steal a march’ just by doing the right thing in-house.
This is not about Corporate Relations providing carefully worded and slick sound bites of blah, blah. It is about following a simple rule. If you can look at your customers in the eye and say, with honesty, yes, we have done everything possible to protect you; customers are surprisingly forgiving should the unforeseen happen.
So, using copies of production data for testing and development fails that basic rule. It is a potential own goal but here’s the thing; large organisations think that they are dealing with ‘data’, not customers.
And in the background and with minds always whirring, ‘Researchers’ know that this presents yet another opportunity.