Ex­perts: Lack of ex­per­tise means Ver­i­zon leak could re­cur

USA TODAY International Edition - - NEWS - Made­line Pur­due @ made­linepur­due USA TO­DAY

Busi­nesses ev­ery­where, be­ware — what hap­pened at Ver­i­zon can hap­pen to you, too.

The names, ad­dresses, phone num­bers and, in some cases, se­cu­rity PINs of 6 mil­lion Ver­i­zon cus­tomers stored on large cloud- com­put­ing servers were made avail­able to the pub­lic, the telecom­mu­ni­ca­tions car­rier said last week af­ter a cy­ber­se­cu­rity com­pany no­ti­fied it of the ex­posed data.

Ver­i­zon chalked the leak up to hu­man er­ror, say­ing it was be­cause an em­ployee of NICE Sys­tems, one of the con­trac­tors it uses to an­a­lyze its cus­tomer ser­vice re­sponse, made a mis­take. No cus­tomer in­for­ma­tion was stolen, Ver­i­zon said, and it apol­o­gized to its cus­tomers.

Still, the risk was clear: A crim­i­nal who dis­cov­ered the data could have used or sold the iden­ti­fy­ing in­for­ma­tion for the type of fraud that can wreak havoc on con­sumers’ lives.

The leak comes a month af­ter the dis­cov­ery that the names, birth­days, ad­dresses and other per­sonal de­tails of 200 mil­lion reg­is­tered vot­ers were ex­posed by a con­trac­tor for the Repub­li­can Na­tional Com­mit­tee.

In a sim­i­lar sce­nario, the RNC con­trac­tor — Deep Root An­a­lyt­ics — had failed to en­sure that the voter files stored on an Ama­zon cloud ac­count were not avail­able to pub­lic ac­cess. As with the Ver­i­zon ex­po­sure, Moun­tain View, Calif. cy­ber­se­cu­rity com­pany UpGuard iden­ti­fied the data cache.

More such ex­po­sures are likely un­til busi­nesses, which are in­creas­ingly us­ing the cloud to store and an­a­lyze cus­tomer data and their own con­tent — for in­stance, im­ages that pop­u­late their web­sites — get a firm grip on the se­cu­rity pro­tec­tions they need to place around such data.

“When you have th­ese com­plex sys­tems and you force hu­mans to solve the prob­lem man­u­ally, we make mis­takes,” Nathaniel Gle­icher, head of cy­ber­se­cu­rity strat­egy at Il­lu­mio and for­mer di­rec­tor of cy­ber­se­cu­rity pol­icy in the Obama ad­min­is­tra­tion. “Com­plex­ity is the en­emy of se­cu­rity.”

His take: Data leaks are go­ing to keep hap­pen­ing un­til cloud stor­age sys­tems be­come more au­to­mated and the en­ter­prises have more help deal­ing with the sys­tem.

Ama­zon Web Ser­vices, where the Ver­i­zon data was stored, op­er­ates un­der a “shared re­spon­si­bil­ity” model with the cus­tomer — the Ama­zon cloud unit con­trols the phys­i­cal se­cu­rity and oper­at­ing sys­tem, and gives cus­tomers en­cryp­tion tools, best prac­tices, and other ad­vice to help them main­tain se­cu­rity of their data. The cus­tomers are re­spon­si­ble for mak­ing sure their ap­pli­ca­tions are se­cure.

It’s sim­i­lar to a Google Docs user set­ting the “shar­ing” set­ting to pri­vate, a small group, or any­one.

Chris Vick­ery of UpGuard, who found and alerted Ver­i­zon and the RNC to their data leaks, ex­pects more will hap­pen be­cause the en­ter­prises us­ing cloud stor­age don’t un­der­stand it.

Vick­ery ad­vises hav­ing an IT mem­ber go home early once a month and see if he or she can ac­cess cloud stor­age web­sites with­out spe­cial ac­cess. If they can get in, so can other peo­ple.



Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.