After every major cyber breach, security professionals are asked about the lessons we can learn from them. While the technical details of the eBay attack aren’t yet public, we can already learn lessons about from company’s public statements and its communications to its customers (see inset).
The eBay case demonstrates the two biggest problems with cybersecurity today. First, there’s too much focus on payment card security and not enough attention being paid to all the other personal information being shared, swapped and stolen.
EBay claims no payment information was taken and that hackers didn’t make it into the PayPal system, which houses financial information for millions of users. That’s good news for card issuers, but consumers still had lots of their information stolen, including physical and email addresses, phone numbers and birth dates. That’s plenty of information to start a social engineering attack.
For too long, IT security in the retail industry has myopically focused on payment card security via PCI compliance. PCI DSS is just a baseline. It’s a great place to start when building a security program, but a lousy place to stop.
Which brings up the second major problem with our current security situation. Companies just aren’t doing enough. The response of our business leaders is not commensurate with the escalating threat.
For example, EBay says passwords were encrypted (see letter to right), but other information wasn’t. That technology is readily available, and eBay could have encrypted more data than they did.
Right now, the technology industry is focused on speed. They’re operating like car companies 50 years ago, building fast, powerful products that are as fun to use as a 1969 Corvette. The problem for consumers is that those products are also about as safe as a 1969 Corvette. It’s time to start thinking about seatbelts, airbags and anti-lock brakes.
Coalfire consultants are experts in compliance. We conduct more than 1,000 audits and assessments of systems containing sensitive data each year. We know and can explain all the minimum steps needed to not be negligent. But shouldn't we all be operating on a higher plane?
Our forward-thinking customers know that baseline compliance testing is a critical part of the program, but they also do additional monitoring, analysis and penetration testing.
The truth is that every company, every industry is different. An acceptable level of security investment in one place won’t be remotely sufficient in another. The biggest question for company executives facing material risk from a breach: Are we doing enough? (Let alone “everything” as eBay claims.)
The answer in most cases? Probably not.
Learn more about Coalfire’s services today.