By Brett Daniel Shehadey
Special Contributor for In Homeland Security
Is the entire American data security environment crumbling before our eyes? Are the federal government and private industry, years behind, racing to catch up in reaction to this massive deficiency instead of running in front of it?
It seems that every month or two we are witnessing a breach in personal and financial information theft alone, whether that is Target, Home Depot, or JP Morgan Chase. These failures and breaches do not just indicate minor failures, but show the fragility of the whole system and encourage foreign klepotocratic governments, criminals and sporting hackers to keep attacking.
JP Morgan Chase found out about the breaches since June by cybercriminals possibly interested in selling personal information. The bank has filled with the SEC that 76 million people and 7 million businesses were affected by the system break-in. No passwords, social security numbers or other sensitive account information was reportedly breached. The FBI is investigating whether Russia hacked JP Morgan and at least one other bank for the retaliation of economic sanctions, according to Bloomberg.
In 2012, Middle Eastern hackers and Iran retaliated in ‘denial of service’ strikes on banks after the spread of the Stuxnet virus. Other banks have been and will continue to be the focus of attacks: Citi Bank (stolen data in 2011), Wells Fargo (Website hacked 2012), Bank of America (Anonymous hack in 2013), etc.
The last 12 months have seen a surge in retail industry credit card defraud cases affected millions: Target Corporation (40 million), Home Depot (56 million), Michaels (3 million), Neiman-Marcus (less than 350,000), etc.
The weakest links have repeatedly been in the private sector. Weak encryptions, poor security procedures and practices, less vetting of employees with significant access to the financial wellbeing of thousands or millions of individuals; overseas employees with too much information; foreign antivirus, credit card machines and software.
Raising security awareness at the work place and at home is still far behind where it needs to be as digital technology becomes just as fundamental to our lives and adds another dimension of reality. Greater technical awareness, education and security practices are required in the new frontier.
Right now there is far too little compartmentalization in the civilian world with of sensitive data. If you want to secure information you keep it offline and backed-up. Keep sensitive information on an intranet, or the least safe, have it accessible on the internet through multiple platforms without heavy multi-layer security. Russia went so far as to resort to encourage typewriters to prevent foreign government intrusion.
Part of this is the growing new American techno-culture. Everyone wants their information to be private yet they take more and more risk in the proliferation of their daily digital activities. They do this without knowing how the basics work. Celebrities are not the only ones placing the most intimate photos on a third-party server (a.k.a. The Cloud) and giving sensitive information to a host of others and accessible to a larger number to people they interact with at these wanted services. They are of course upset when that information is compromised, regardless of the reason.
Nowadays, almost everyone asks for a person’s social security and birth date. This information should be given in two to three parts to different individuals that cannot put the number together themselves and steal your number but instead it is received by one person, the full nine digits and often just need the last four and the date of birth and name are all that are needed in financial endeavors.
Aside from compartmentalizing personal and financial information within the private sector, a simple requirement would be breaking up this information and locking the information down within those separate departments. But such a procedure could cost triple and or slow down efficiency in spite of providing a block toward unauthorized access.
The above suggestion is already too late for millions of Americans whose information remains in the hands of foreign governments and thieves. A host of other security precautions should mandate the digital service industry if actions are not taken freely to ensure the safety of the average American. The federal government is too busy with cyberdefense, cyberterrroism and cyberespionage and does not have the resources necessary to combat cybertheft appropriately. Already it is having difficulty with the first three mentioned, with which it will need more resources to do what is necessary there as well. In the future, it is possible to imagine an increased automated security infrastructure but right now it is critical to have more security IT and data security specialists probing weak points, consulting fixes, safeguarding information, targeting the enemy for justice or reprisal.
Alternating passwords on a frequent basis, protecting username and passwords, strong firewalls, encrypting personal data, increasing personnel that hunt down foreign hackers, less public and more personal cloud storage that can run a server from your home or small business would all be improvements.
Better protection options could be paired with efforts for faster relief programs for identity and finance theft victims. The government and corporations could be held to higher standards and greater scrutiny. If they are not ultimately responsible for protecting privacy and property of society and individuals, than the people are in even greater peril. Government must police this reality in the service of protecting Americans and corporations must invest in best practices, and be regulated to improve them for better practices, for the safety of their clients in addition to personal responsibility.
*People are still unaware of the most basic internet safety tips. Some techniques to be aware of are: e-scams (pretty much anything that is soliciting information from you that you have not sought out yourself like spam), Malware (e.g. the virus ZeusBot), Ransomware (e.g. Cryptolocker). This month also happens to be Cyber Security Awareness Month.
Comments are closed.