SoylentNews is people
SoylentNews
Robert X. Cringely points out the hidden costs of running corporate IT over the public internet:
How cheap is IT, really, if it compromises customer data? Not cheap at all. Last year’s Target hack alone cost the company more than $1 billion, estimated Forrester Research. The comparably-sized Home Depot hack will probably cost about the same. JP Morgan Chase is likely to face even higher costs.
He wonders why companies aren't shifting to dedicated networks, like they used to make with leased lines.
Taking a bank or retail network back to circa 1989 would go a long way toward ending the current rash of data breaches. It would be expensive, sure, but not as expensive as losing all the money that Target and others have recently done.
Is this practical? If so, how would it be accomplished with modern equipment?
(Score: 3, Insightful) by kaszz on Friday October 10 2014, @12:35PM
A lot of the data breaches is due poor design and not doing ones homework. Slapping leased lines as a solution to this doesn't help. Instead crooks will know that you trust the line and make sure to access those junction boxes..
(Score: 3, Interesting) by Thexalon on Friday October 10 2014, @01:14PM
Yes, but rarely is the question asked, "Is our developers learning?"
The challenge is that most of the big data breaches recently have been companies that were in fact following correct procedures. What I recommend for my clients when dealing with sensitive data is to as much as possible make it Somebody Else's Problem e.g. use the payment processor's hosted tools so that your boxes never see the CC data. But I know that's not solving the problem, it's just making it so that my clients aren't liable if there is a problem.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by kaszz on Friday October 10 2014, @02:06PM
One could also ask "Does management allow our developers to learn?" or maybe they just outsourced it..
Then comes "Is there resources (time) available to do something about our knowledge?"..
Considering Murphy's law. It might actually be an efficient strategy. Provided the API isn't a royal pain.
(Score: 0) by Anonymous Coward on Friday October 10 2014, @02:57PM
It does more than that: Given that your payment processor needs to get the CC data anyway, keeping it only with the payment processor means a smaller attack surface.
(Score: 0) by Anonymous Coward on Friday October 10 2014, @03:58PM
Indeed. And for a good, grammatical reason.
(Score: 2) by DeathMonkey on Friday October 10 2014, @06:41PM
The challenge is that most of the big data breaches recently have been companies that were in fact following correct procedures.
That doesn't sound like the case for Home Depot, at a minimum:
Former information technology employees at Home Depot claim that the retailer’s management had been warned for years that its retail systems were vulnerable to attack, according to a report by The New York Times. Resistance to advice on fixing systems reportedly led several members of Home Depot’s computer security team to quit, and one who remained warned friends to use cash when shopping at the retailer’s stores.
reference [arstechnica.com]
(Score: 2) by Hairyfeet on Saturday October 11 2014, @06:50AM
Devs ain't got shit to do with it, good security costs good MONEY and the MBAs won't spend the bucks. This is one of the reasons I got out of corp IT, they would have a security nightmare that could be fixed by spending X to set up Y but would they spend X? Fuck no, in fact they would often cut IT to the bone so they could say "I saved the company X amount of dollars!" and get a sweeter job at another place while the system fell apart behind them.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by theluggage on Friday October 10 2014, @02:20PM
Instead crooks will know that you trust the line and make sure to access those junction boxes..
If your data was that sensitive, surely you'd go "belt & braces" and encrypt the data on your line anyway?
Plus, scalability anybody? Even if, at some stage in the history of telecoms, a "leased line" really was a physically private copper wire or fibre exclusively connecting A to B, I can't see that being viable in these days of ubiquitous networking and globalisation - you'd have to flood-wire the world! For anybody smaller than the average national security agency, a modern "leased line" must surely be a euphemism for "outsourcing your VPN kit to your telecoms provider".
(Score: 0) by Anonymous Coward on Friday October 10 2014, @03:48PM
wait, this is exactly what it was claimed that the nsa did to google and others, they tapped the exit and entrance nodes on the "point to points". Data wasn't encrypted between locations, and it undermined the entire system. Who cares it the data on the server is encrypted, if no one is walking off with the server. It's unencrypted the moment it leaves the box unless other actions are taken.
Considering that, a private leased line is not what people think it is. It is almost always on a shared network, and just because you can't see other customers doesn't mean it's configured right in the ISP from end to end. Privacy isn't what it used to be; unless you ran the line yourself, the telco can provide access.
Using VPNs for everything is foolish, but it makes a lot more sense to run a VPN over a leased line if you are really worried about security. Having permissions on a firewall to let unencrypted traffic through does nothing to protect against an entity tapping in and recording the transmissions, nor anything to stop something bad coming through on the ports you opened since you trust the other side. Nothing is stopping something on a, for example, MPLS network from being introduced into the "point to point" if the carrier is able to do so.
It takes a a secure approach to all methods and options for exit and entry, not just getting a leased line.
You would be more secure using a dial up modem. Demodulating a call is not something the current batch of tools is very good at doing, and if you encrypted the call--you'd be more secure than anything we've discused so far, but it would be slow. And very suitable for financial dropbox sort of transactions, like FTP or what have you, that you do not want anyone else to get a hold of.
Just don't set the modem to auto answer...
(Score: 2) by sjames on Sunday October 12 2014, @05:08AM
That is more or less what happened to Target. They had a secure VPN nailed up between them and their HVAC contractor. The hackers got into the contractor's network and came in through that to attack the POS systems.
The real failure was letting a route exist between HVAC and POS. An actual leased line instead of a VPN would have made exactly zero difference.
(Score: 2) by MrGuy on Friday October 10 2014, @05:08PM
...the Target breach (one of the two examples given).
In Target, the attackers got access via an environmental monitoring system - they had a service to remotely manage/make recommendations on power/HVAC to some Target stories. Amazingly, those servers were on the same network (with no isolation) from all the POS machines doing actual credit card processing, which is how the attackers were able to compromise the credit card processing.
If Target had designed their network remotely sanely, this service (that admittedly needed internet access) would have been walled off from the network customer transactions happened on. It was not.
Lease lines, by the way, wouldn't have helped Target a whit. They could have had dedicated leased lines between the POS systems and the credit card processors, and it wouldn't have helped them. It's not like they were using a VPN and the attackers compromised the VPN (which is the ONLY attack vector I can see that would have been thwarted by dedicated leased lines). The problem was their INTERNAL network was a mess.