SlideShare une entreprise Scribd logo

Security

B
Bob Cherry

Major security intrustions from businesses large and small, private and government, indicate that the Internet is far less secure than most realize. After reading this, you may want to reconsider how secure your private data and information really is.

Business
1  sur  3
Télécharger pour lire hors ligne
Fighting the Intruder -- Securing your Business By Bob Cherry Years ago, when I worked on and around secure projects, there was extremely tight security. Breeches of any kind were not to be tolerated. To achieve this, there was no connectivity to the outside world via Internet, dial up modems, etc. Any physical media (floppies and tape were the media of the day) that went into the building never went out. You could bring patches and such into the building but the media stayed there when you left. It would either be archived or shredded. There were no exceptions. You showed your purse and briefcases as you entered and left the facility. Sometimes you were asked to empty your pockets. It was routine. It was secure. Attacks from the outside world just didn't happen. Security was so tight that at one facility I worked at, I had to have blood test and FBI check EVERY DAY before I could even enter the central facility. Today when we talk about security, we have a new paradigm where there is an "acceptable" level of loss of secret data and information. China has made a huge use of this as they design their new J-20 series of fighter jets using stolen American technology. There is so much that their planes virtually look like ours inside and out. So, how does this happen? Our security paradigm is severely broken. In reality, there is little security -- just enough to make it difficult but, certainly not impossible. Unfriendly foreign governments and foreign hackers are making an art & science out of penetrating American systems. It's their job to get in, analyze, and hide their footsteps as they infiltrate system after system after system. They make millions of dollars in the process. It is a worthwhile endeavor for them. First of all, the new mindset is that we need to have Internet access at secure facilities for some reason. I'm not sure what those reasons are but, lets look at what that really means. Our electric grids across the nation are exposed. Our nuclear power plants are exposed. Our defense engineering is exposed. Our defensive systems are exposed. Our medical records are exposed. Our financial records and information is exposed. Our social security, credit card and banking records are exposed. And the list goes on and on. Our nation's security looks more like a sieve than a brick wall. A lot of what is in place was put in with a small budget and a lack of serious concern regarding security. Basically, to the bean counters, security cost too much. Feel-good security was enough. So, how much is an "acceptable" risk? Credit card companies spend billions of dollars a year on fraud. Target discount stores realized that all customer credit card information was compromised. I don't know how many times VISA has issued me new cards due to card information theft from somewhere. Foreign governments use our "secret" technology. Russian hackers are already into much of our infrastructure. China has even accessed some of our critical satellites. The problem is, we don't really know how bad we've been infiltrated. We do know that we have been and there are probably unauthorized people in our national infrastructure right now. Almost every web site in the world is under attack. The little ones contain user-names, passwords and email addresses. This information, once in the wrong hands, can then be used to access bigger and better targets like banks. The reason is that most public users use the same user- name and password on all the systems they use. The same one they use on Facebook is what they use for managing their bank or retirement accounts. One security firm states that over 30% of all home computers are already compromised. How many web sites containing personal information are? Sadly, the answer is: Most! If twenty contract agencies are working together on a top secret military program and each allows a small amount of information (data) to escape is that trivial? If the data by itself is pretty much worthless, then standing alone, then yes, it is. But, if the attacker is an unfriendly foreign government that only needed that one piece of the puzzle to build a major threat to our nation, then what is the value? It is no longer trivial. If that unfriendly government has actually acquired many pieces from all of those 20 contractors and has now rendered a multi-billion dollar project obsolete before it gets off the ground what was the value of that small loss of information? (see links below) This is the reason you cannot define what a single piece of lost information is worth. This is why there cannot be an "acceptable" level of risk. Any loss of top-secret information must be considered a substantial loss of unknown value. We plan security like a box full of rules. Hackers don't follow our rules. They don't recognize our box boundaries. So we assume that our methods are secure and, as we discover break-ins, we reactively respond to those to patch the leak. How much data and information got out before we patched is often not known. It seems that every few days we read
about identity theft on a massive scale. This is what happens with a reactive model to security that assumes some level of risk is acceptable. Rarely do banks and businesses publicize that they were compromised. Its bad for business. So they patch the leak, hide it and pay the damage and continue doing things as they always have. Loss of private information has become a cost of doing business. An acceptable unknown cost. That is a dangerous philosophy to run a business by. In my office, the primary system with client information, accounting, passwords, software keys, and other vital information is NOT on the Internet. It isn't even connected. The Linux system sits in a corner where it has been churning away for almost 12 years. When I need something off of it, I go to the system and work from there. If I need to transfer anything to/from it, I use a USB flash memory stick. The point being is that no hacker is going to get into the database full of artists names, addresses, phone numbers and their music business contact information. The system gets regular backups that are stored in the bank safety deposit box. Backups consist of an exact clone image of the drive. In this manner, if the drive fails, I simply install the backup, reboot and I'm up. Then I just bring over the database image from the real-time backup drive, apply the redo logs and I'm back. Today, we use routers, access control lists, filters and so on to secure out business environments. But, our comfort level isn't very high considering that there are router patches and updates almost daily. Every Tuesday, Microsoft puts out many fixes to their array of Windows products. Vendors are constantly putting out updates to their software products. My web site engine has at least a few security updates every week. Every one was probably the result of someone detecting an attack. These fixes come AFTER an attack has already occurred. We literally spend a ton of money and time securing our systems just so that we can have the convenience of having those systems on the Internet. We spend a lot of time and resources keeping our systems up to date to try and keep them secure. Is it really worth it? Does every system require Internet connectivity? Seriously, no. Why does accounting or human resources need Internet access? As a rule, they don't. Sure, it may be necessary to have one or two workstations that can connect but, certainly not all of them. The databases of personal information certainly do not require it. Anti-virus systems are critical as are rootkit scans, and more. With new virus variants coming out daily, it is amazing that there are still anti-virus vendors who only put out updates once a week. Systems using those products are unprotected until the weekly update. Other better products may put out eight updates a day! Those are the products to seriously consider. I run three layers of protection on my Internet connected systems and they are inside a router and a firewall. I was compromised a few years back even with all that. Anti-virus is not a cure-all. There is no such thing as a 100% safe operating system -- especially after you install a lot of third-party applications. Windows is always being compromised. Mac OS/X has been cracked and Linux and BSD systems have also. While some are more vulnerable than others, there is no such thing as a totally secure OS. Most attacks happen at the application layer and may third party software vendors don't put a lot of emphasis on security. Network games, email applications, web browsers, etc. are all examples of applications that expose the system to the outside world that communicate with. Rather than preventing an incident, we react to incidents that already happened. That is the new model. Because we allow risk, we need to react to it. If we eliminate the risk, then there is nothing to react to. Note I didn't say to be proactive. I said to eliminate it. There is a distinct difference. To prevent, one must eliminate all methods of outside intrusion and, you do that by not just closing the door but, by removing the door all together. If you connect to the outside, the outside connects to you. It's that simple. Total isolation is fine for a single installation site but, what happens when you have facilities scattered all over the place -- even around the world? Again, the Internet is a low-cost, available yet insecure method of interconnection. TCP/IP, by its very design is insecure. Using the Internet is a far cry cheaper than laying a dedicated OC3 or higher speed dedicated trunk between sites. As is common knowledge today, even the best laid plans of man are eventually cracked. It's the law of unintended consequences. Security is only as strong as the weakest link and to add to this problem, it is also fluid in its dynamics. What was the weakest link an hour ago, may not be the weakest link now. The environment changes constantly. What attack we dealt with yesterday has been replaced by an entirely new concept
today. This leads to the question: What is the cost of security? It was this question that ultimately created the answer: There is a certain amount of loss that is acceptable. But is it really? I believe the answer to be flawed. When considering security, one must also consider the real need for outside connectivity. Do those different facilities really need to be all over the country and then openly interconnected? Would it be more secure to relocate some of them to a single facility and eliminate the interconnection? What systems can be totally isolated from all outside connections and just exist on their own private network internally? It is a fact that systems connected to the Internet will incur an intrusion at some point. It isn't a matter of if, but rather, when. When it ultimately does happen, what will be the real value of that data loss? That loss can be financial, business, legal and most importantly, a matter of trust with your customers and users. If word got out that all your web site users private data was compromised, how would that impact your web business now and in the future? A few years back, I received a call from a big local real-estate office. They had a virus that managed to infect every system in their office and they couldn't work anymore. Windows were popping up all over the place on every PC in their office. The office relied on build-in Windows security and that was it. No firewall. No anti-virus software. Nothing. It required the better part of a day to disinfect their computers and network, configure their router, install a firewall and put anti-virus software on all their systems. Their office was basically down during this time. How much of their client information was compromised remains unknown but, their server was breached and most of the log files deleted. It had a simple password that was the same for the owner's PC which was easily guessable and, it was. They said they couldn't afford anti-virus software. After their attack, they ultimately decided they couldn't afford to be without it. It was an expensive and hard lesson. I know today's systems are no where near as secure as the systems I worked on in the 1980s because in those days many long years ago, there was no outside connectivity and, there was no acceptable measure of loss. It's something to think about in today's exploding network of interconnected businesses. It isn't a trivial issue today. Businesses can be held liable for private data getting out. How good is your security really? Now, here's the scary part. Virtually every web site in the world gets hit by attacks every day. If the top secret government sites with all kinds of layered network security using every means available is getting compromised, chances are your small business or even medium business site has also been compromised. Without security monitoring, tracking, logs and alerts in place, you probably have no way of even knowing whether you've been violated or not. Most have. A great deal of email spam points to sites that have been compromised and are used as the hyperlink target of the spam or virus attack. Quite often, if you look at the links, they point to a business web site that has obviously been compromised and the attacker has placed their infected payload on the unsuspecting website. Hundreds of these different E-mails go out daily. Have you really investigated if your site has been hit or not? Do your logs ever show a URL that had embedded SQL in them? How often do your check your error logs and access logs? Do you even check them? Has email with your return address domain been sent out to those on your subscription list? Are your site databases encrypted? The vast majority are not. Current estimates indicate that nearly 85% of all web sites have been hacked. If you sincerely believe yours hasn't been and you have not implemented any security, you're probably fooling yourself. If word got out that your site had been hacked, how would it impact your business? We are in a new Internet mine field and unless you are very careful, you may already have undesirable information leakage. Additional Reading: The Worst Security SNAFUS this Year So Far Chinese Data Theft Could Be 'Disastrous' For The US Military's Most Expensive Fighter Jet FBI: A Chinese Hacker Stole Massive Amounts Of Intel On 32 US Military Projects

Recommandé

eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKERKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
The Cybersecurity Mess
The Cybersecurity MessThe Cybersecurity Mess
The Cybersecurity MessSimson Garfinkel
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT SecurityLondon School of Cyber Security
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemskhalavak
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Michele Chubirka
 
Jason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 PredictionsJason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 Predictionscentralohioissa
 

Recommandé

eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKERKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
The Cybersecurity Mess
The Cybersecurity MessThe Cybersecurity Mess
The Cybersecurity MessSimson Garfinkel
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT SecurityLondon School of Cyber Security
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemskhalavak
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Michele Chubirka
 
Jason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 PredictionsJason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 Predictionscentralohioissa
 
Who's that knocking on my firewall door?
Who's that knocking on my firewall door?Who's that knocking on my firewall door?
Who's that knocking on my firewall door?Bruce Wolfe
 
Jerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTJerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTcentralohioissa
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsLondon School of Cyber Security
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksLondon School of Cyber Security
 
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...Casey Ellis
 
Intro to web 2.0 Security
Intro to web 2.0 SecurityIntro to web 2.0 Security
Intro to web 2.0 SecurityJP Bourget
 
An Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesAn Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesBlake Carver
 
Hacking 09 2010
Hacking 09 2010Hacking 09 2010
Hacking 09 2010Felipe Prado
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011Felipe Prado
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009Scott Wright
 
Cybercrime
CybercrimeCybercrime
CybercrimeVinil Patel
 
A6704d01
A6704d01A6704d01
A6704d01mudigonda
 
Hacking 10 2010
Hacking 10 2010Hacking 10 2010
Hacking 10 2010Felipe Prado
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Marco Morana
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsLondon School of Cyber Security
 
Data breach
Data breachData breach
Data breachBurhan Ahmed
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thUnited Technology Group (UTG)
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for ActivistsGreg Stromire
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of securityMatthew Pascucci
 
The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!Frode Hommedal
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Hackfest Communication
 

Contenu connexe

Tendances

Who's that knocking on my firewall door?
Who's that knocking on my firewall door?Who's that knocking on my firewall door?
Who's that knocking on my firewall door?Bruce Wolfe
 
Jerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTJerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTcentralohioissa
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsLondon School of Cyber Security
 
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...Casey Ellis
 
Intro to web 2.0 Security
Intro to web 2.0 SecurityIntro to web 2.0 Security
Intro to web 2.0 SecurityJP Bourget
 
An Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesAn Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesBlake Carver
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011Felipe Prado
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009Scott Wright
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Marco Morana
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thUnited Technology Group (UTG)
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for ActivistsGreg Stromire
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of securityMatthew Pascucci
 

Tendances (20)

Who's that knocking on my firewall door?
Who's that knocking on my firewall door?Who's that knocking on my firewall door?
Who's that knocking on my firewall door?
 
Jerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTJerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINT
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and Forensics
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
 
Intro to web 2.0 Security
Intro to web 2.0 SecurityIntro to web 2.0 Security
Intro to web 2.0 Security
 
An Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesAn Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and Libraries
 
Hacking 09 2010
Hacking 09 2010Hacking 09 2010
Hacking 09 2010
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-final
 
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
A6704d01
A6704d01A6704d01
A6704d01
 
Hacking 10 2010
Hacking 10 2010Hacking 10 2010
Hacking 10 2010
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 
Data breach
Data breachData breach
Data breach
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
 

Similaire à Security

The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!Frode Hommedal
 
Cyber Security Matters a book by Hama David Bundo
Cyber Security Matters a book by Hama David BundoCyber Security Matters a book by Hama David Bundo
Cyber Security Matters a book by Hama David Bundohdbundo
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyHamisi Kibonde
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Dana Gardner
 
rovide 34 paragraphs that define how the IT security landscape has evo.docx
rovide 34 paragraphs that define how the IT security landscape has evo.docxrovide 34 paragraphs that define how the IT security landscape has evo.docx
rovide 34 paragraphs that define how the IT security landscape has evo.docxacarolyn
 
Computer And Internet Security
Computer And Internet SecurityComputer And Internet Security
Computer And Internet SecurityAshley Zimmerman
 
Computer And Internet Security
Computer And Internet SecurityComputer And Internet Security
Computer And Internet SecurityJFashant
 
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdfCybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdfSoo Chin Hock
 
Ethical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsEthical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsRwik Kumar Dutta
 
IBM MobileFrist Protect - Guerir la Mobilephobie des RSSI
IBM MobileFrist Protect - Guerir la Mobilephobie des RSSIIBM MobileFrist Protect - Guerir la Mobilephobie des RSSI
IBM MobileFrist Protect - Guerir la Mobilephobie des RSSIAGILLY
 

Similaire à Security (12)

The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
 
Cyber Security Matters a book by Hama David Bundo
Cyber Security Matters a book by Hama David BundoCyber Security Matters a book by Hama David Bundo
Cyber Security Matters a book by Hama David Bundo
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
 
rovide 34 paragraphs that define how the IT security landscape has evo.docx
rovide 34 paragraphs that define how the IT security landscape has evo.docxrovide 34 paragraphs that define how the IT security landscape has evo.docx
rovide 34 paragraphs that define how the IT security landscape has evo.docx
 
Computer And Internet Security
Computer And Internet SecurityComputer And Internet Security
Computer And Internet Security
 
Computer And Internet Security
Computer And Internet SecurityComputer And Internet Security
Computer And Internet Security
 
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdfCybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
 
Ethical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsEthical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its Prospects
 
cybersecurity-101_4
cybersecurity-101_4cybersecurity-101_4
cybersecurity-101_4
 
IBM MobileFrist Protect - Guerir la Mobilephobie des RSSI
IBM MobileFrist Protect - Guerir la Mobilephobie des RSSIIBM MobileFrist Protect - Guerir la Mobilephobie des RSSI
IBM MobileFrist Protect - Guerir la Mobilephobie des RSSI
 

Dernier

Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Peter Ward
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Seta Wicaksana
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditNhtLNguyn9
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCRashishs7044
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationAnamaria Contreras
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607dollysharma2066
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03DallasHaselhorst
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 

Dernier (20)

Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal audit
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdf
 
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCREnjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement Presentation
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 

Security

  • 1. Fighting the Intruder -- Securing your Business By Bob Cherry Years ago, when I worked on and around secure projects, there was extremely tight security. Breeches of any kind were not to be tolerated. To achieve this, there was no connectivity to the outside world via Internet, dial up modems, etc. Any physical media (floppies and tape were the media of the day) that went into the building never went out. You could bring patches and such into the building but the media stayed there when you left. It would either be archived or shredded. There were no exceptions. You showed your purse and briefcases as you entered and left the facility. Sometimes you were asked to empty your pockets. It was routine. It was secure. Attacks from the outside world just didn't happen. Security was so tight that at one facility I worked at, I had to have blood test and FBI check EVERY DAY before I could even enter the central facility. Today when we talk about security, we have a new paradigm where there is an "acceptable" level of loss of secret data and information. China has made a huge use of this as they design their new J-20 series of fighter jets using stolen American technology. There is so much that their planes virtually look like ours inside and out. So, how does this happen? Our security paradigm is severely broken. In reality, there is little security -- just enough to make it difficult but, certainly not impossible. Unfriendly foreign governments and foreign hackers are making an art & science out of penetrating American systems. It's their job to get in, analyze, and hide their footsteps as they infiltrate system after system after system. They make millions of dollars in the process. It is a worthwhile endeavor for them. First of all, the new mindset is that we need to have Internet access at secure facilities for some reason. I'm not sure what those reasons are but, lets look at what that really means. Our electric grids across the nation are exposed. Our nuclear power plants are exposed. Our defense engineering is exposed. Our defensive systems are exposed. Our medical records are exposed. Our financial records and information is exposed. Our social security, credit card and banking records are exposed. And the list goes on and on. Our nation's security looks more like a sieve than a brick wall. A lot of what is in place was put in with a small budget and a lack of serious concern regarding security. Basically, to the bean counters, security cost too much. Feel-good security was enough. So, how much is an "acceptable" risk? Credit card companies spend billions of dollars a year on fraud. Target discount stores realized that all customer credit card information was compromised. I don't know how many times VISA has issued me new cards due to card information theft from somewhere. Foreign governments use our "secret" technology. Russian hackers are already into much of our infrastructure. China has even accessed some of our critical satellites. The problem is, we don't really know how bad we've been infiltrated. We do know that we have been and there are probably unauthorized people in our national infrastructure right now. Almost every web site in the world is under attack. The little ones contain user-names, passwords and email addresses. This information, once in the wrong hands, can then be used to access bigger and better targets like banks. The reason is that most public users use the same user- name and password on all the systems they use. The same one they use on Facebook is what they use for managing their bank or retirement accounts. One security firm states that over 30% of all home computers are already compromised. How many web sites containing personal information are? Sadly, the answer is: Most! If twenty contract agencies are working together on a top secret military program and each allows a small amount of information (data) to escape is that trivial? If the data by itself is pretty much worthless, then standing alone, then yes, it is. But, if the attacker is an unfriendly foreign government that only needed that one piece of the puzzle to build a major threat to our nation, then what is the value? It is no longer trivial. If that unfriendly government has actually acquired many pieces from all of those 20 contractors and has now rendered a multi-billion dollar project obsolete before it gets off the ground what was the value of that small loss of information? (see links below) This is the reason you cannot define what a single piece of lost information is worth. This is why there cannot be an "acceptable" level of risk. Any loss of top-secret information must be considered a substantial loss of unknown value. We plan security like a box full of rules. Hackers don't follow our rules. They don't recognize our box boundaries. So we assume that our methods are secure and, as we discover break-ins, we reactively respond to those to patch the leak. How much data and information got out before we patched is often not known. It seems that every few days we read
  • 2. about identity theft on a massive scale. This is what happens with a reactive model to security that assumes some level of risk is acceptable. Rarely do banks and businesses publicize that they were compromised. Its bad for business. So they patch the leak, hide it and pay the damage and continue doing things as they always have. Loss of private information has become a cost of doing business. An acceptable unknown cost. That is a dangerous philosophy to run a business by. In my office, the primary system with client information, accounting, passwords, software keys, and other vital information is NOT on the Internet. It isn't even connected. The Linux system sits in a corner where it has been churning away for almost 12 years. When I need something off of it, I go to the system and work from there. If I need to transfer anything to/from it, I use a USB flash memory stick. The point being is that no hacker is going to get into the database full of artists names, addresses, phone numbers and their music business contact information. The system gets regular backups that are stored in the bank safety deposit box. Backups consist of an exact clone image of the drive. In this manner, if the drive fails, I simply install the backup, reboot and I'm up. Then I just bring over the database image from the real-time backup drive, apply the redo logs and I'm back. Today, we use routers, access control lists, filters and so on to secure out business environments. But, our comfort level isn't very high considering that there are router patches and updates almost daily. Every Tuesday, Microsoft puts out many fixes to their array of Windows products. Vendors are constantly putting out updates to their software products. My web site engine has at least a few security updates every week. Every one was probably the result of someone detecting an attack. These fixes come AFTER an attack has already occurred. We literally spend a ton of money and time securing our systems just so that we can have the convenience of having those systems on the Internet. We spend a lot of time and resources keeping our systems up to date to try and keep them secure. Is it really worth it? Does every system require Internet connectivity? Seriously, no. Why does accounting or human resources need Internet access? As a rule, they don't. Sure, it may be necessary to have one or two workstations that can connect but, certainly not all of them. The databases of personal information certainly do not require it. Anti-virus systems are critical as are rootkit scans, and more. With new virus variants coming out daily, it is amazing that there are still anti-virus vendors who only put out updates once a week. Systems using those products are unprotected until the weekly update. Other better products may put out eight updates a day! Those are the products to seriously consider. I run three layers of protection on my Internet connected systems and they are inside a router and a firewall. I was compromised a few years back even with all that. Anti-virus is not a cure-all. There is no such thing as a 100% safe operating system -- especially after you install a lot of third-party applications. Windows is always being compromised. Mac OS/X has been cracked and Linux and BSD systems have also. While some are more vulnerable than others, there is no such thing as a totally secure OS. Most attacks happen at the application layer and may third party software vendors don't put a lot of emphasis on security. Network games, email applications, web browsers, etc. are all examples of applications that expose the system to the outside world that communicate with. Rather than preventing an incident, we react to incidents that already happened. That is the new model. Because we allow risk, we need to react to it. If we eliminate the risk, then there is nothing to react to. Note I didn't say to be proactive. I said to eliminate it. There is a distinct difference. To prevent, one must eliminate all methods of outside intrusion and, you do that by not just closing the door but, by removing the door all together. If you connect to the outside, the outside connects to you. It's that simple. Total isolation is fine for a single installation site but, what happens when you have facilities scattered all over the place -- even around the world? Again, the Internet is a low-cost, available yet insecure method of interconnection. TCP/IP, by its very design is insecure. Using the Internet is a far cry cheaper than laying a dedicated OC3 or higher speed dedicated trunk between sites. As is common knowledge today, even the best laid plans of man are eventually cracked. It's the law of unintended consequences. Security is only as strong as the weakest link and to add to this problem, it is also fluid in its dynamics. What was the weakest link an hour ago, may not be the weakest link now. The environment changes constantly. What attack we dealt with yesterday has been replaced by an entirely new concept
  • 3. today. This leads to the question: What is the cost of security? It was this question that ultimately created the answer: There is a certain amount of loss that is acceptable. But is it really? I believe the answer to be flawed. When considering security, one must also consider the real need for outside connectivity. Do those different facilities really need to be all over the country and then openly interconnected? Would it be more secure to relocate some of them to a single facility and eliminate the interconnection? What systems can be totally isolated from all outside connections and just exist on their own private network internally? It is a fact that systems connected to the Internet will incur an intrusion at some point. It isn't a matter of if, but rather, when. When it ultimately does happen, what will be the real value of that data loss? That loss can be financial, business, legal and most importantly, a matter of trust with your customers and users. If word got out that all your web site users private data was compromised, how would that impact your web business now and in the future? A few years back, I received a call from a big local real-estate office. They had a virus that managed to infect every system in their office and they couldn't work anymore. Windows were popping up all over the place on every PC in their office. The office relied on build-in Windows security and that was it. No firewall. No anti-virus software. Nothing. It required the better part of a day to disinfect their computers and network, configure their router, install a firewall and put anti-virus software on all their systems. Their office was basically down during this time. How much of their client information was compromised remains unknown but, their server was breached and most of the log files deleted. It had a simple password that was the same for the owner's PC which was easily guessable and, it was. They said they couldn't afford anti-virus software. After their attack, they ultimately decided they couldn't afford to be without it. It was an expensive and hard lesson. I know today's systems are no where near as secure as the systems I worked on in the 1980s because in those days many long years ago, there was no outside connectivity and, there was no acceptable measure of loss. It's something to think about in today's exploding network of interconnected businesses. It isn't a trivial issue today. Businesses can be held liable for private data getting out. How good is your security really? Now, here's the scary part. Virtually every web site in the world gets hit by attacks every day. If the top secret government sites with all kinds of layered network security using every means available is getting compromised, chances are your small business or even medium business site has also been compromised. Without security monitoring, tracking, logs and alerts in place, you probably have no way of even knowing whether you've been violated or not. Most have. A great deal of email spam points to sites that have been compromised and are used as the hyperlink target of the spam or virus attack. Quite often, if you look at the links, they point to a business web site that has obviously been compromised and the attacker has placed their infected payload on the unsuspecting website. Hundreds of these different E-mails go out daily. Have you really investigated if your site has been hit or not? Do your logs ever show a URL that had embedded SQL in them? How often do your check your error logs and access logs? Do you even check them? Has email with your return address domain been sent out to those on your subscription list? Are your site databases encrypted? The vast majority are not. Current estimates indicate that nearly 85% of all web sites have been hacked. If you sincerely believe yours hasn't been and you have not implemented any security, you're probably fooling yourself. If word got out that your site had been hacked, how would it impact your business? We are in a new Internet mine field and unless you are very careful, you may already have undesirable information leakage. Additional Reading: The Worst Security SNAFUS this Year So Far Chinese Data Theft Could Be 'Disastrous' For The US Military's Most Expensive Fighter Jet FBI: A Chinese Hacker Stole Massive Amounts Of Intel On 32 US Military Projects