Do You Know Where Your Secrets Are?
October 16, 2015 | DevOps | joanna mastrocola
October isn’t just about apple picking, hayrides, and pumpkin spice lattes… it’s also cybersecurity month! Although Conjur kicked the month off on the right foot, the same can’t be said for everyone. It looks like cybersecurity month is off to a rough start at Scottrade, the business having suffered a major breach that was publicized in recent weeks.
Imagine that your company was approached by the FBI, and was told that criminals had taken your clients’ information and have had it at their disposal for the past two years. Well, that’s the real life nightmare Scottrade is faced with. The most troubling aspect of the Scottrade breach is that it went unnoticed for two years. This forces us to wonder, how much of our data has been compromised that we don’t even know about… what if our information is being taken right now? Without a second thought we buy insurance, apply for loans, sign up for cell phone plans, and make online purchases. And without a second thought, businesses take this information and store it, gambling with our personal details and hoping that their databases are secure enough to resist a breach, without taking any real, meaningful steps to ensure this is the case. With PR nightmares like this one, I have to wonder, why aren’t companies keeping a closer eye on their secrets?
Although the breach occurred two years ago, it was only recently that Scottrade uncovered the hack in their system. The FBI alerted Scottrade to the breach that exposed the personal information of over 4.6 million customers. Although Scottrade maintains that only the names and addresses of customers were taken, it is highly likely that other information was compromised as well. The systems containing the contact information also stored social security numbers, according to Threatpost. Marketwatch cautions customers that brokerage numbers are also on the list of potentially compromised data.
This information further validates the assumption that more than just names and addresses were exposed, despite Scottrade’s insistence that contact information was the hackers’ main focus. When questioned as to how Scottrade came to this conclusion, Scottrade could not answer, stating that it could jeopardize the investigation. It may never be revealed what information was actually taken from Scottrade, as most companies don’t keep data that old in their systems. Customers are angry, including one Scottrade customer who has decided to sue the company in a class-action lawsuit. The suit requests that Scottrade not only pay for at least 3 years of credit and identity monitoring for compromised customers, but also repay any monetary, statutory, and punitive damages.
It is common for enterprises to cut costs wherever possible; however, security is not the place to skimp on resources. These breaches are a lot more expensive than the costs associated with properly securing infrastructures in the first place. According to research by the Ponemon Institute, data breaches cost companies approximately $3.8 million dollars (an increase from last year’s cost of $3.5 million). For businesses, breaches affect more than just their wallet, they also taint the reputations they have worked so hard to create. Every single week consumers are faced with a new company they can no longer trust and are ridden with heightened paranoia every time they give out a social security number or use a credit card. The problem now is that not only are these breaches happening, but they are taking far too long to be detected. People are only aware of the fraud once it is too late and this fraudulent activity is difficult to remedy.
If Scottrade had a clear and easily accessible audit log, it wouldn’t have taken so long to notice suspicious behavior in their systems. High velocity organizations who practice continuous delivery rely on many dynamic tools, users, and machines. All of these complexities make it difficult to scale security in the name of velocity. Companies need secrets management solutions that are scalable with both machine authentication and granular access control . With the correct security measures in place to manage secrets, hackers would have been denied access to the system in the first place.
For more information on proper secrets management, download our secrets management checklist.
Worried about your cybersecurity this October? Remember, the best defense is an even better offense.