Security Experts:

Data - The Driver of Our Digital Economy

The world has changed. The predicted consolidation of all things electronic (i.e., telephony, games, Internet, email, entertainment, social, calendars, etc.) fits in my jacket pocket and has become an indispensible part of my life. I seamlessly work from my office, my home, my car and around the world as though there are no walls.

The vehicle for this change is most certainly exponential advances in technology. But the driver, the force behind the change, has been the explosion in the access, use and demand of consumer data. And it’s all data – telephony is just the exchange of digitized voice, we surf the Internet for information, our digital lives (i.e., personal, medical, financial, social) are stored in huge databases, and our correspondences are exchanged electronically. Literally and figuratively, we would be lost without the data we depend on.

However exciting, this is not new. We only need to look back a few hundred years to see other vehicles and drivers that have pushed the US through economic and sociological changes.

Data and PrivacyThe theory of electricity has been understood since Michael Faraday’s experiments in the early 1800’s. But it wasn’t until the late 1800’s before the demand for electricity’s industrial efficiencies and consumer conveniences, and the promises of fortunes to be made, drove willingness for the substantial capital investments required to electrify the United States. The US pre- and post-electrification stages are hardly recognizable. The world changed.

The automobile has been around in some form since the early 1800’s; yet it took mass production in the early 1900’s to make the automobile affordable to the masses. Affordability drove mass consumer demand, which stimulated rapid technology advances, competition and a change in US culture to an automobile oriented society. Imagine a world without automobiles.

To finish my analogy, data, once costly, has become affordable and desirable. Like the widespread use and affordability of electricity and automobiles, the availability and use of data has changed our culture and the way we interact with our world. Welcome to the digital economy.

The Danger of Data

At January’s Digital Life Design (DLD), a prestigious technology conference held annually in Munich, the two keynote speakers: The European Commission's vice president for justice, Viviane Reding, and Facebook's chief operating officer, Sheryl Sandberg, put forth the intriguing statement that personal data is the new oil, the vital fuel of our digital economy.

Per this very true premise, we need to view data as a precious commodity, to be protected at all costs. Unlike physical commodities like cash, gold and diamonds, data can be taken and sold without the owner’s awareness. Every credit card identity in America can be stored on the flash drive in your pocket and sent to a cyber criminal on the other side of the world in minutes.

The protection of data is far harder than most people recognize. A simple customer-list database, for example, isn’t just safely tucked away on a single server. It will be backed up to remote locations, duplicated at disaster recovery sites and possibly copied to a DVD for reporting purposes. The disgruntled IT guy who just stormed out may have made his own copy.

We often hear about the dangers of using social networks like Facebook and the information that we give out so freely. The truth, however, is that compared to the personal information that is available about each of us, your Facebook indiscretions are a drop in the bucket.

Every one of your emails, phone calls, surfing experiences, financial and medical records, credit card transactions and digital experiences are fair game for use or exploitation by the clever hacker or unethical business.

And, by-the-way, unlike Facebook, you didn’t get to check a box to indicate this massive breach of your life is OK; it just came with being part of the digital economy.

Sheppards of Our Customers Data

As business owners, IT professional and security experts, we should realize the responsibility we have to our customers and clients as they entrust us with their personal information.

The American public is, at best, naïve about the risk associated with their Internet usage – our casual display of personal information on social sites like Facebook being a great example. We give away our credit card numbers to any retail website that requests it; we use passwords that are easily guessed and we reuse the same login credentials across banks and celebrity gossip sites.

No loss of customer data should be taken lightly. While we understand the problems associated with the loss of financial and medical information, we can’t overlook the repercussions of losing simple identity information.

If we look at the most recent Zappos breach (January 2012, 24 millions user accounts) as an example, we can see where even the seemingly benign stolen customer data might have potentially devastating effects of Zappos’ customers. In the many months to come, millions of Zappos customers will receive artfully crafted Zappos-like phishing emails (containing many social cues taken from Zappos) that will cajole credit card numbers and additional identify information out of a naïve public.

In addition, customer passwords (50% percentage of all American’s use the same password on every one of their on-line accounts) that were extracted from the Zappos ‘encrypted’ database will be used to fraudulently access Zappos customer financial accounts like PayPal and Amazon.

Not only should we not abuse the trust our customers and clients have in us, but we need to guard that data against abuse by others.

Security Attacks - Every Business, Every Day

It is a given that every business that exposes itself to the Internet (usually through a website presence) is being attacked and tested every day. Unlike physical security attacks, there is no deterrent to cyber thieves from probing, cataloging, attacking, and setting up sophisticated social engineering scams on websites across the globe.

Thieves have the anonymity of the Internet and luxury of living in countries where cybercrime is ignored to shield themselves from arrest for actual or attempted cyber crimes. Cybercrime, in many countries, is ignored by the authorities and is, in fact, a very profitable occupation.

Cybercriminals aren’t attacking just your website; they are attacking everyone’s website. The automated tools and armies of computer robots (bots) (sometimes millions strong) are being run by individuals and nation-sponsored cyber gangs with the sole goal of stealing data that they will sell or use for their own purposes.

To put an additional chill in your security nightmares, keep in mind that even the best security efforts don’t provide a 100% guarantee that your systems won’t be breached. Cybercriminals are always one step ahead of cyber defenses; as new security attacks are devised and holes in your infrastructure are discovered, your impenetrable security fortifications of today will be wide open tomorrow.

To make security even harder, it is a given that your staff will unknowingly become your security’s weakest link as they fall prey to sophisticated social engineering scams.

We agree life is neither easy nor fair. One of Microsoft’s security gurus, Scott Culp’s immutable laws of security reads, “Eternal vigilance is the price of security”. Not only do businesses need to implement security, they also need to constantly update and monitor their implemented solutions.

The Personal Price of The Digital Economy

Data SecurityThe digital economy has truly changed our lives. We live in a world that once only existed in science fiction. Some of us have already paid, and many will pay in the future, a price for this new economy – identity theft, credit card fraud, and privacy issues to name just a few.

If we stop, however, and take a look at the early history of automobiles, the price for this society changing event was just as high. We see a very similar explosion – in 1918, only 1 in 13 families owned a car. By 1929, 4 out of 5 families had one. In the same time period, the number of cars on the road increased from 8 million to 23 million.

Our early automobile society brought us car-related fatalities that were 20 times higher than today’s, rampant pollution and a flight to the suburbs that left many inner cities in waste. Maturity in the form of government regulations, public awareness and a desire to return to cities has reversed many of these early problems. Our digital economy is still in its early stages; the economic, social and identity problems that swirl within are growing pains are not unique to any major sociological change. The difference, however, may be the source of the pains. No one profited from early car deaths, while the problems we see in the new digital economy are fueled for the most part by a billion dollar cyber crime underground.

Like the frog sitting in the slowly heating pot of water until it boils, I wonder if we will be fully aware of the inevitable changes, good and bad, in our digital economy as they happen.

Subscribe to the SecurityWeek Email Briefing
view counter
Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.