IT Security – Insider Trading

The news broke recently that the data of “up to 2 million” customers and potential customers of US mortgage company Countrywide Financial had been compromised by employees (now former employees), who sold the data off as sales leads to competitors during the heady days of the sub-prime bubble. Countrywide, acquired by Bank of America Corp. in July, has recently mailed to at-risk customers offering them two years of free credit monitoring.

An often quotes statistic is that 70% of all serious IT security incidents are carried out by insiders or involve the collusion of insiders. I have problems with statistics that are round numbers, because it’s often an indication that the figure is manufactured for market consumption. This figure is almost certainly wrong because it is a situation that is impossible to survey competently. You cannot get provably accurate information on known security breaches and unreported or undiscovered ones are naturally excluded from the figures.

The true figure is probably closer to 90 percent. It’s said that a high percentage of bank heists involve an insider, but all the insider has to do is pass information to the bank robbers. It’s difficult to even prove that the bank robbers had insider knowledge, let alone identify who passed the information. The same is true of IT Security breaches, but data heists are a great deal easier to pull off if you know where to look for the data.

TJ-Maxxed

Consider the TJX data heist, the heist that has become the poster child for higher security spend. The cost to TJX has been estimated at around $1billion. The IT security failure, which led to the theft of data on 45 million credit cards, plus hundreds of thousands of Social Security Numbers (SSNs), driver’s license numbers and military identifications, was “caused” by WEP. WEP stands for Wired Equivalent Privacy, although it may as well stand for Wireless Entry Point as far as hackers are concerned.

The WEP protocol has been broken since 2001 (and yes you can still buy devices that offer WEP encryption). It’s believed that the Black Hats responsible for the TJX heist were Russian or Romanian, which probably means that no-one knows, since the only people apprehended in connection with this heist were downstream users of the stolen data and the data may have been sold through several brokers before it got to them. And anyway, why would Romanian/Russians Black Hats be driving around St. Paul, Minnesota in the hope of spotting WEP networks?

It’s easy to believe that there was insider involvement that helped the Black Hats out. Reportedly, TJX was intending to replace its insecure WEP networks in time, but “not just yet” because, well, it would have been expensive – although a small fraction of $1billion would have covered the expense.

And right there we have the security problem in a nutshell!

Aside from the Black Hats, the people who did well out of the TJX heist were the CSO’s and IT Security staff who’s been putting off WEP replacement. Suddenly it had to be funded, so suddenly they had budget.