Life’s a Breach

In their fantastic book ‘Why do buses come in threes?: The hidden mathematics of everyday life‘ Rob Eastaway and Jeremy Wyndham point out the hidden maths (or just ‘math’ to some) in many everyday situations.

From the bleeding obvious (“Meh, I really thought I was going to win the lottery?”), through to the outright bizarre (“what’s the connection between a rugby player taking a conversion and a tourist trying to get the best photograph of Nelson’s Column?”), to the eponymous bus question, these brilliant chaps take you through surprising facts and figures that could keep even a fidget without one of those spinner things occupied on a beach.

Fortunately, you don’t have to be a card carrying Mathematical genius to understand why breaches appear to be the new buses. No, not the fact that they are big, smelly and unreliable, the fact that they have started coming in bunches.

Let’s take a look at this week’s latest announcements:

Starting with the biggest, best and scariest example, the account details of approximately 14 million Verizon customers were breached through an apparently inappropriately configured Amazon Web Service S3 bucket.

Now Ladies and Gents, the AWS S3 bucket wasn’t hosted by Verizon themselves. Oh no, it was hosted by a third party; An Israeli security company called (presumably ironically) NICE. At least it used to be hosted by NICE, this part of the NICE portfolio was divested years ago, according to them.

Now, just what Verizon customer call data was doing with an Israeli security company we mustn’t speculate on. Having been accused of tending towards ‘conspiracy theories’ very recently, we are keeping our thoughts to ourselves and putting it down to ‘outsourcery’. Probably nothing to do with any governments at all, ever, honest.

Read El Reg’s Verizon piece here, then stroke your Jimmy Hill beard and make your own minds up (no translation available for those that call maths ‘math’, sorry).

Moving swiftly on to a scandal that makes the AdultFriendFinder debacle seem tame.  Eagle eyed security enthusiasts will recall the breach of Sabre SynXis Central Hotel Reservations system. Well it seems that compromised details include the names, credit card details, inside leg measurement, breakfast preferences etc. etc. of customers of the hotels of one Mr Donald Trump.  If being captured being a High Court Judge with a password of ‘insert cat related word here‘ wasn’t bad enough, the shame of being a customer of The Donald might make one reach for the service revolver.

Add to these this week’s breaches of Bupa, the recent UK Government (Members of Parliament VPN) kerfuffle, the AA and the disputed 140 million or so (is that all?) breach at Indian Telco Jio and it is clear that we are either on the crest of a wave or plummeting down a tunnel to oblivion, depending if you are in Sales or Engineering.

We have all been reading for weeks about the nation state written attacks on numerous systems (mostly Microsoft), which are being touted around by criminal parties unknown, and everyone must have seen this week’s announcement of critical vulnerabilities in the age-old NTLM authentication protocol (enabled by default, obs).

It is clear that we are all running a heap of leaky old code and that as time goes on, an increasing number of increasingly devious and publicly available exploits will be targeted at us.

The real question is not how, but why? It is no coincidence that new data protection regulations (GDPR, you might have heard it mentioned round these parts) are coming our way like the proverbial.  It is all about data governance.  All data has value and the costs for losing it are about to outweigh the blushes, navel gazing and feet shuffling apologies (and lets just assume you have been good boys and girls and should be holding the data in the first place, having asked for permission to do what you are doing with it…)

Just what can we do about it? Somewhat boringly, there is no magic solution:

  • Think about the data and manage data security at all times in the lifecycle
  • Prove that you are doing this!
  • Keep backups
  • Keep patching
  • Try our very bestest not to run unsupported software
  • Deploy technology to identify and manage risk (vulnerability management, SIEM, Network Access Control, behavioural analytics, voodoo, snake oil etc.)
  • Test your configurations and delete old data ‘in staging environments’
  • Have a plan for the day the man comes, around (And I heard, as it were, the noise of thunder)
  • we have been banging on about this for ages now.

ITC’s NetSure360° managed security service components are an ever-evolving combination of tools, technologies, processes and pretty smart people which can help make this easier for you, even on Cloud environments like AWS and Azure.

Please contact us at [email protected] or call 020 7517 3900 if you would like to discuss surfing the wave or climbing out of the abyss. We can even hold down a reasonable discussion about GDPR before it’s too late. Remember there are coffers that need to be filled with fines.  Hold that thought.

The solution to the bus problem is much more interesting.  Buy the book. It’s great.