Posted on February 21, 2017

Abstract

See Media Coverage at The Register

IBM's Data Science Experience is an enterprise-grade business analytics platform. It enables data scientists to collaborate and leverage cloud computing to understand big data through statistical and machine learning algorithms. WYC Technology conducts routine IT security assessments of new cloud offerings to ensure its clients' data are safe. Within a short period of inspection, we identified a major security flaw that put hundreds of terabytes of customer data at stake. We worked directly with IBM's security team to issue a correction within just two weeks.

Security is Difficult

The original vulnerability report can be found here.

IBM has historically had some of the best security people and technologies in industry, yet sometimes they still write flawed code. It’s the same case with any of the other tech titans such as Microsoft, Apple, or Google. Security flaws are inevitable, and correctly securing software is an extremely difficult process. There are simply no guarantees that your software is truly secure, only best-efforts to defensively program and protect against a limited set of known existing attacks.

Bruce Schneier has an excellent passage in his book Cryptography Engineering about these challenges:

“A security engineer has to take a malicious wind into account. What if the wind blows up and down instead of just from the side, and what if it changes directions at the right frequency for the bridge to resonate? Bridge engineers will dismiss this kind of talk out of hand: “Don’t be silly, the wind doesn’t blow that way.” That certainly makes the bridge engineers’ jobs much easier. Cryptographers don’t have that luxury. Security systems are attacked by clever and malicious attackers. We have to consider all types of attack.”

If even companies with extremely technically competent employees still fall prey to security vulnerabilities, what could a small or medium business even hope for? For a small business, there are already thousands of different things to worry about–how can it possibly also deal with cyberattacks? Fortunately, there’s the great equalizing question of “what’s at stake?”. Many experts agree that any security system can be broken, and it’s really about using enough security so that the contents are no longer worth it to a potential attacker.

Think about how much your most sensitive data are worth to you. How much are they worth to someone else: your competitors, your customers, your prospective customers, and blackmailers? The keyword is sensitive. Not all data are equal when it comes to security concerns. People protect their birthdays more than their favorite colors, and their bank account numbers even more than those. These practices also apply to organizations in that it’s best to put different amounts of effort into protecting different assets, depending on their value.

Security is almost always an afterthought in the race to build new innovative technology products. There is an age-old trade-off between security and convenience. It would be convenient to just leave the front door always unlocked, but this typically adds unacceptable risk to home security. However, technology isn’t always as intuitive, and companies often don’t understand the risk that they’re incurring by choosing some form of convenience, especially when it comes to technology. For example, an insurance company recently paid a $2.2 million fine for stolen USB stick with unprotected patient data in violation of HIPAA.

There’s no magic bullet that will fix or mitigate an organization’s security issues. It’s an ongoing process that must have permission to impact the organization’s culture. There’s no security appliance that will prevent an employee from giving a phisher their work email password or uploading confidential company files to their personal DropBox account.

If you want to improve your organization’s security, then you can take the first few steps in risk assessment on your own to start managing your IT risk:

1. Make a list or spreadsheet of your organization’s valuable digital assets, including:
   • Customer Data
     • Addresses
     • SSNs
     • Emails
     • Phone Numbers
     • Credit Card Numbers
     • Uploaded Content
   • Invoices
   • Employee Records
   • Company Financials
   • Shipping Records
2. For each asset, use a scale of 0-10 to how valuable these things are and to whom. E.g.,
   • Customer Data
     • Competitors: 8, they want our email list
     • Blackmailers: 4, they would only get email addresses, we don’t store credit card numbers
3. For each asset, annotate which system(s) it lives on. E.g.,
   • Customer Data
     • The website database
     • Backups to web host
     • In each respective customer’s web browser
     • In each respective customer’s mobile app
     • Our fulfillment partner’s database
     • Business analytics software used for data mining in our office
   • Complete Company Financials
     • Stored in the office accounting software with on-premise database
     • Backups sent to Amazon cloud storage
     • Bill, the CFO, has these on his home laptop and work laptop
     • John, the CFO’s secretary, has it on his work desktop
     • Steve, the CEO, has it on his work laptop and work phone

This is the starting point for identifying potential threats and determining their likelihoods, damage potential, and overall risk factors. It will help an IT security expert ask the right questions. To find one, you can visit your local OWASP or ISSA chapter or contact some of their members online. Additionally, WYC Technology also offers IT security services.