Step up eBay, the world's largest online marketplace and the next in a line of the Corporations who may have flaunted the very fact they too are capable of security failure. eBay is not just another big box retailer, e-retailer, etc...they personify e-commerce, set the standard and are in every predictable way NOT a brick and motor business gone wild for everything online. eBay is the very house that the internet era caused to be built and was ushered in by the demand for anything, anywhere at any time.
Fast forward to the breach runway from TJ Max, ... Target this year, the runway is littered with one company after the next who mistook market position and financial viability as a surety that they could hide from the reality. One company, one agency after the next has shown that client data is just not secure, not safe and that the path forward is very uncertain.
To be certain, eBay does a great job of protecting applications. Today, on a industry conference call (InfraGard: www.nym-infragard.us) known as the Thursday Call application protection was discussed and general agreement that eBay has done an admirable job in application security. One senior security professional said eBay's problem is simply the M&M syndrome. A very hard outer shell Vs a soft mushy inside. Thus you have very predictable outcomes when separation of duties, multi-factor authentication, scaling privilege to those with a need to know and demanding credentials for insiders which should at the very least match those admitted in from the outside. Ambivalence can not be tolerated when you are in class beyond all others in the online marketplace. eBay now is set to walk the runway of shame, knowing full well all of this could have been avoidable.
As the walk of shame befalls eBay, responsibility will be fixed upon who? The Board of Directors who should have been monitoring the effectiveness of operations, audits, etc....most certainly they deserve the lions share of credit....stockholders beware who you vote for and put on the boards of companies who depend on the online marketplace. Step in the regulators, Connecticut, Florida, etc...UK authorities....eBay just bought itself more lawsuits and official inquiries then it ever would have cost them to to the right thing, the first time.
CEO, COO, CTO, CIO, CFO, CSO, CRO....for sure avoiding the media and taking full responsibility could become downright hostile from the inside. But each of these people owns a part of 145 million records of their clients being exposed. As these creatures of the front office prepare to circle the wagons we must comment on the security staff who's job it is to keep the data secure and the fact that only passwords were encrypted. Thus dates of birth, home addresses and more were left in the open. So how many CISSP's were on staff at Target, TJ Max, others and now eBay? Will their certifications be revolked? What liability will they have in failing to do what they swore they would take care of? Do no harm??
Angry? Perhaps, not because of any one individuals actions or inactions, but for ten years VERIZON has been publishing the DBIR and has listed over and over again the same recommendations. Failure to do X will give you Y. Its not like this is a well kept industry secret and no one knows. Everyone knows. Q1 this year was Target, Q2 this year is eBay, next up?
Before Q3 hits call in a security company and get a health check up. Batten down the hatches and understand the world's wolves are gunning for you. Make no mistake, size doesn't matter.
LINKS:
http://www.cnet.com/news/ebay-to-face-formal-investigations-over-data-breach/
http://www.scmagazine.com/states-probe-ebay-after-breach-affects-all-its-users/article/348422/
http://www.bbc.com/news/technology-27539799
http://www.theregister.co.uk/2014/05/23/ebay_security_breach_investigations/
No comments:
Post a Comment