小程序
传感搜
传感圈

Data Vu: Why Breaches Involve the Same Stories Again and Again

2022-07-29
关注

In the classic comedy Groundhog Day, protagonist Phil, played by Bill Murray, asks “What would you do if you were stuck in one place and every day was exactly the same, and nothing that you did mattered?” In this movie, Phil is stuck reliving the same day over and over, where the events repeat in a continual loop, and nothing he does can stop them. Phil’s predicament sounds a lot like our cruel cycle with data breaches.

Every year, organizations suffer more data spills and attacks, with personal information being exposed and abused at alarming rates. While Phil eventually figured out how to break the loop, we’re still stuck: the same types of data breaches keep occurring with the same plot elements virtually unchanged.

Like Phil eventually managed to do, we must examine the recurring elements that allow data breaches to happen and try to learn from them. Common plotlines include human error, unnecessary data collection, consolidated storage and careless mistakes. Countless stories involve organizations that spent a ton of money on security and still ended up breached. Only when we learn from these recurring stories can we make headway in stopping the cycle.

The main plotline of so many data breach stories is human error. Over and over, people fall for phishing scams, fail to patch vulnerable software promptly, lose devices containing vital data, misconfigure servers or slip up in any number of other ways.

Hackers know that humans are the weak link. Many break-ins to company databases occur less by technological wizardry and more by con artistry. For instance, hackers can trick an organization’s employees by sending an e-mail that looks like it’s coming from one of their supervisors. Doing so is easy: anyone can readily learn the names of supervisors by looking them up on LinkedIn and can then spoof an e-mail address. Essentially, hackers hack humans more than they do machines.

Despite the fact that human error is an aspect of most data breaches, many organizations have failed to train employees about data security. As for the organizations that do, they often use long and boring training modules that people quickly forget. Not enough attention is paid to making training effective.

It’s reasonable to expect that even with a well-trained workforce, some people will inevitably fall for hacker tricks. We must approach data security with realism that people can be gullible and careless, and human nature isn’t going to change. That means we need systems and rules in place that anticipate inevitable breaches and minimize their harm.

In many data breaches, an enormous amount of information is lost all at once. because hacked organizations were collecting more data than absolutely necessary, or keeping such information when they should have been deleting it.

Over time, organizations have been collecting and using data faster than they have been able to keep it secure—much like in the 19th-century industrial revolution when factories sprouted up before safety and pollution controls were introduced. Instead of hoarding as much information as possible, they should enact policies of data minimization to collect only data necessary for legitimate purposes and to avoid retaining unnecessary data.

To make matters worse, many organizations have stored the vast troves of information they amass in a single repository. When hackers break in, they can quickly access all the data all at once. As a result, breaches have grown bigger and bigger.

Although many organizations fear a diabolical hacker who can break into anything, what they should fear most are small, careless errors that are continually being made.

For instance, an entirely predictable mistake is a lost device. Lost or stolen laptops, phones and hard drives, loaded up with personal data, have played a big role in breaches. Companies should assume that at least some losses or thefts of portable devices will occur—and to prevent disaster, they should require that the data on them be encrypted. Far too often, there is no planning for inevitable careless mistakes other than hoping that they somehow won’t happen.

Money alone is not enough to stop hackers. In fact, many of the organizations that have had big data breaches were also big spenders on data security. They had large security teams on staff. They had tons of resources. And yet, their defenses still were breached. The lesson here is that money must be spent on measures that actually work.

In the case of the Target breach in 2013, the company had spent a fortune on a large cybersecurity team and on sophisticated software to detect unusual activity. This software worked and sent out alerts—but security staff members were not paying enough attention, and reportedly they had turned off the software’s automatic defenses. Having the best tools and many people isn’t enough. A security team must also have a good playbook, and everyone must do their part.

Although at the surface, data breaches look like a bunch of isolated incidents, they are actually symptoms of deeper, interconnected problems involving the whole data ecosystem. Solving them will require companies to invest in security measures that can ward off breaches long before they happen—which may take new legislation.

With a few exceptions, current laws about data security do not look too far beyond the blast radius of the most recent breach—and that worsens the damage that these cyberattacks cause. Only so much marginal benefit can be had by charging increasing fines to breached entities. Instead, the law should target a broader set of risky actors, such as producers of insecure software and ad networks that facilitate the distribution of malware. Organizations that have breaches almost always could have done better, but there’s only so much marginal benefit from beating them up. Laws could focus on holding other actors more accountable, so responsibility is more aptly distributed.

In addition to targeting a wider range of responsible entities, legislation could require data minimization. With reduced data, breaches become much less harmful. Limiting data access to those who need it and can prove their identity is also highly effective. Another underappreciated important protection is data mapping: knowing what data are being collected and maintained, the purposes for having the data, the whereabouts of the data and other key information.

Government organizations could act proactively to hold companies accountable for bad practices before a breach occurs, rather than waiting for an attack. This strategy would strengthen data security more than the current approach of focusing almost entirely on breached organizations.

But the law keeps on serving up the same tired consequences for breached companies instead of trying to reform the larger data ecosystem. As with Phil, until lawmakers realize the errors of their ways, we will be fated to relive the same breaches over and over again.

This is an opinion and analysis article, and the views expressed by the author or authors are not necessarily those of Scientific American.

参考译文
数据Vu:为什么入侵事件一次又一次涉及相同的故事
在经典喜剧《土拨鼠日》(Groundhog Day)中,主人公菲尔(Bill Murray饰演)问道:“如果你被困在一个地方,每天都是一样的,你做什么都不重要,你会做什么?”在这部电影中,菲尔被困在重复的同一天,事件在不断循环,他做什么都无法阻止他们。菲尔的困境听起来很像数据泄露的残酷循环。每年,组织机构都会遭受更多的数据泄漏和攻击,个人信息暴露和滥用的速度令人震惊。虽然Phil最终找到了打破循环的方法,但我们仍然陷入了困境:相同类型的数据泄露不断发生,相同的情节元素几乎没有变化。就像Phil最终设法做到的那样,我们必须检查导致数据泄露发生的反复出现的因素,并试图从中吸取教训。常见的情节包括人为错误、不必要的数据收集、合并存储和粗心的错误。无数的故事都涉及到组织在安全上花了大量的钱,但最终还是被攻破了。只有当我们从这些反复发生的故事中吸取教训时,我们才能在阻止这种循环方面取得进展。许多数据泄露事件的主要情节都是人为错误。人们一次又一次地陷入网络钓鱼骗局,未能及时修补易受攻击的软件,丢失包含重要数据的设备,错误配置服务器或在许多其他方面出错。黑客们知道人类是薄弱环节。许多对公司数据库的入侵不是靠技术手段,而是靠欺诈手段。例如,黑客可以通过发送看起来像是来自某个组织主管的电子邮件来欺骗组织的员工。这很容易做到:任何人只要在LinkedIn上查一查,就能轻易知道主管的名字,然后伪造电子邮件地址。从本质上讲,黑客攻击人类的次数多于攻击机器的次数。尽管人为错误是大多数数据泄露的一个方面,许多组织没有对员工进行数据安全培训。至于那些提供培训的组织,他们经常使用冗长而枯燥的培训模块,人们很快就会忘记。对培训的有效性重视不够。我们有理由相信,即使有训练有素的员工,有些人还是会不可避免地落入黑客的陷阱。我们必须现实地看待数据安全问题,即人们可能会容易受骗和粗心大意,人性不会改变。这意味着我们需要建立能够预见不可避免的违规行为并将其危害降到最低的制度和规则。在许多数据泄露事件中,大量的信息会同时丢失。因为被黑客攻击的组织收集了比绝对必要的更多的数据,或者在本应删除这些信息的时候保留了这些信息。随着时间的推移,组织机构收集和使用数据的速度已经超过了保证数据安全的速度——这很像19世纪的工业革命,当时工厂如雨后春笋般涌现,那时还没有引入安全和污染控制措施。应该制定“数据最小化政策”,只收集合法的必要数据,避免保留不必要的数据,而不是尽可能地囤积信息。更糟糕的是,许多组织将他们积累的大量信息存储在一个单一的存储库中。当黑客入侵时,他们可以快速访问所有的数据。因此,漏洞越来越大。尽管许多组织都害怕一个能闯入任何东西的邪恶黑客,但他们最应该担心的是不断出现的粗心大意的小错误。 例如,一个完全可以预见的错误是丢失设备。丢失或被盗的笔记本电脑、手机和装满个人数据的硬盘驱动器,在黑客入侵事件中扮演了重要角色。公司应该假设至少会发生一些便携设备的丢失或被盗,为了防止灾难,他们应该要求对这些设备上的数据进行加密。通常情况下,对于不可避免的粗心错误,我们没有任何计划,只是希望它们不会发生。单靠金钱是不足以阻止黑客的。事实上,许多发生大数据泄露的组织在数据安全方面也投入了大量资金。他们有庞大的安保队伍。他们有大量的资源。然而,他们的防线还是被攻破了。这里的教训是,必须把钱花在实际有效的措施上。在2013年塔吉特百货(Target)的黑客入侵事件中,该公司花了一大笔钱组建了一个大型网络安全团队,并研发了检测异常活动的复杂软件。这款软件能够正常工作并发出警报——但是安全人员并没有给予足够的重视,据报道他们已经关闭了软件的自动防御系统。拥有最好的工具和许多人是不够的。一个安全团队也必须有一个好的剧本,每个人都必须尽自己的一份力。虽然从表面上看,数据泄露看起来像是一堆孤立的事件,但它们实际上是涉及整个数据生态系统的更深层次、相互关联的问题的症状。解决这些问题需要公司在安全措施上投资,这些安全措施可以在入侵发生之前很久就阻止它们——这可能需要新的立法。除了少数例外,目前有关数据安全的法律并没有超出最近这次入侵的爆炸半径,这加剧了这些网络攻击造成的损害。对违规实体收取越来越多的罚款,只能带来这么多的边际效益。相反,法律应该针对更广泛的风险行为者,比如不安全软件的生产商和为恶意软件的传播提供便利的广告网络。那些几乎总是有违规行为的组织本可以做得更好,但痛打他们只会带来有限的好处。法律可以侧重于让其他行为者承担更多责任,这样责任就能更恰当地分配。除了针对范围更广的负责实体外,立法还可以要求尽量减少数据。随着数据的减少,数据泄露的危害会大大降低。限制那些需要数据并能证明自己身份的人访问数据也是非常有效的。另一个未得到充分重视的重要保护是数据映射:了解正在收集和维护哪些数据、拥有数据的目的、数据的位置和其他关键信息。政府组织可以在黑客攻击发生之前就主动追究公司的不良行为责任,而不是等到攻击发生。这一策略将比目前几乎完全专注于被入侵组织的方法更能加强数据安全性。但法律仍在为被入侵的公司带来同样令人厌倦的后果,而不是试图改革更大的数据生态系统。就像菲尔一样,除非议员们意识到他们的错误,否则我们注定要一次又一次地重蹈覆辙。这是一篇观点和分析文章,作者或作者所表达的观点不一定是《科学美国人》的观点。
  • 网络安全
  • en
您觉得本篇内容如何
评分

评论

您需要登录才可以回复|注册

提交评论

提取码
复制提取码
点击跳转至百度网盘