CHICAGO (Dec. 8, 2014) — Imagine that suddenly there were frequent security incidents at Chicago's United Center sports arena.
Would you leap to blame the fans who attend the games or the Chicago Bulls' starting roster? No, you would rightly say that changes were needed with whoever was providing stadium security. We should react in the same way to the recent massive data breaches.
In that spirit, we offer zero advice to consumers about checking credit cards, credit scores or the like. Instead, our concern is with the poor security that creates the problem in the first place.
So how does computer security work?
A lot like security at the United Center. If you were in charge of security there, you would find out where the doors are, lock the ones you don't need and post guards at the rest to check credentials (tickets, press passes, etc.). Nothing's perfect, so you also would put guards inside to monitor behavior. Computer and network security is the same. We lock doors (shut down access points), post credential-checking guards (verify authorization) and deploy behavior-monitoring guards (ranging from home computer antivirus programs to multimillion-dollar systems defending corporate networks). In short, you would defend in depth.
In the well-documented Target Corp. breach, the retailer had a $1.6 million, state-of-the-art system to prevent unauthorized access. It worked, sounding alarms that hackers had penetrated the network.
Evidently, Target failed to heed the warnings. This is not unusual.
The explanations are typically that there are too many false alarms and that corporate culture discourages the disruptions from responding to those alarms.
In the case of both Target and Home Depot, “open doors” also were a problem. Credit card data was not encrypted when cards were swiped — the equivalent of leaving money out on a counter — and there were other open doors that let hackers in. Security experts can do a much better job closing doors and locking up money through encryption and other means.