Chocolate Teapots, Hollow Bunnies & the Danger of Form Over Function

2015 07 blog.jpg

If external security measures are breached, internal systems are inevitably compromised. That is, if a hacker manages to break through your business' external protective mechanisms (passwords, firewalls, etc.), he/she will almost certainly have access to everything on that server. This could include password lists, back up databases, personal client information and credit card details. To prevent this, we spend enormous amounts of time and money bolstering our walls and guard towers, hoping that by doing so, there is absolutely no way that an intruder can get in. And as our enterprise grows larger, we create even more sophisticated firewalls and password systems, confident that, as long as no one can get past them, our valuable information will be safe. We rarely stop to assess the effectiveness of our internal protocols: are all of your passwords encrypted? Do you have Access Control Lists that only allow a limited, specified number of persons to have full access to the server? If the worst were to occur, how easy would it be for a hacker to decode and then misappropriate your data? This is the danger of form over function. It's a little like a chocolate teapot: although protocols look good on the outside, the internal mechanisms are far from adequate to store your information. If those walls ever come (melting) down, there is nothing left to protect your data and assets. And before you say that there is "no way" a hacker could break through your external systems, read about what happened to Adobe here. We have summarised the case study below. Adobe became the target of a cyber-attack where an unauthorised third party hacked into Adobe's web server and used this server to then access other servers on Adobe's network. Amongst other things, the hacker took a copy of a backup database which contained personal customer information. Adobe managed the breach with professionalism and prompt risk management procedures. However, although Adobe had proficient external security systems in place, their internal protocols were not sufficient to prevent the hacker from trying to exploit customers' details. For example, some passwords were unencrypted. This meant that the password was stored in the server as 'plain text'. That is, if my password was "rainbow", it would appear as "rainbow" on the server if it was unencrypted. There were also many plain text password hint answers. Therefore if a hacker could not work out what a password was, he/she could use the plain text answer to correctly respond to Adobe's password hint. For example, he could correctly state that the account holder's mother's maiden name was "Smith". He/she would then have access to all of the information on that profile. Conclusion: Security systems that only have external preventative measures will only amount to a hollow Easter bunny: ultimately, they cannot withstand repeated strikes to the exterior and could crumble to nothing. Such systems are good from afar but are far from good. Although it is important to have robust external security measures in place, this must be matched with equally strong internal protective systems. As the new financial year begins, it is timely to ensure that your company's recruitment processes do not fall foul of the provisions of the Privacy Act. The Privacy Commissioner has been awarded extensive powers to deal with transgressions, including the power to enforce undertakings from companies in breach, or issue penalties of $340,000 for individuals and up to $1.7 million for companies. If you want to learn more about data management, register to attend our webinar on data security here. It will be held on 27th of July. Attendance is free for existing customers, $75 + GST for others. If you want to find out whether your current practices will meet the mark, contact us and we will tell you more about our privacy impact assessment service.

Alicja Gibert