cancel
Showing results for 
Search instead for 
Did you mean: 

5 More Ways I Can Steal Your Data

Level 12

Five.png

In my soon-to-be-released eBook, 10 Ways I Can Steal Your Data, I cover the not-so-talked-about ways that people can access your enterprise data. It covers things like you're just GIVING me your data, ways you might not realize you are giving me your data, and how to keep those things from happening.

The 10 Ways eBook was prepared to complement my upcoming panel during next week's ThwackCamp on the data management lifecycle. You've registered for ThwackCamp, right? In this panel, a group of fun and sometimes irreverent IT professionals, including Thomas LaRock sqlrockstar, Stephen Foskett sfoskett and me, talk with Head Geek Kong Yang kong.yang about things we want to see in the discipline of monitoring and systems administration. We also did a fun video about stealing data. I knew I couldn't trust that Kong guy!

In this blog series, I want to talk about bit more about other ways I can steal your data. In fact, there are so many ways this can happen I could do a semi-monthly blog series from now until the end of the world. Heck, with so many data breaches happening, the end of the world might just be sooner than we think.

More Data, More Breaches

We all know that data protection is getting more and wider attention. But why is that? Yes, there are more breaches, but I also think legislation, especially the regulations coming out of Europe, such as General Data Protection Regulation (GDPR), means we are getting more reports. In the past, organizations would keep quiet about failures in their infrastructure and processes because they didn't want us to know about how poorly they treated our data. In fact, during the "software is eating the world" phase of IT professionals making software developers kings of world, most data had almost no protection and was haphazardly secured. We valued performance over privacy and security. We favored developer productivity over data protection. We loved our software more than we loved our data.

But this is all changing due to an increased focus on the way the enterprise values data.

I have some favorite mantras for data protection:

  • Data lasts longer than code, so treat it right
  • Data privacy is not security, but security is required to protect data privacy
  • Data protection must begin at requirements time
  • Data protection cannot be an after-production add-on
  • Secure your data and secure your job
  • Customer data is valuable to the customers, so if you value it, your customers will value your company
  • Data yearns to be free, but not to the entire world
  • Security features are used to protect data, but they have to be designed appropriately
  • Performance desires should never trump security requirements

And my favorite one:

  • ROI also stands for Risk of Incarceration: Keeping your boss out of jail is part of your job description

So keep an eye out for the announcement of the eBook release and return here in two weeks when I'll share even more ways I can steal your data.

42 Comments
CourtesyIT
Level 15

Good posting.  Looking forward to Thwack Camp.

Jfrazier
Level 18

Looking forward to the ebook and your session during Thwackcamp !

d09h
Level 16

Re:

In my soon-to-be-released eBook, 10 Ways I Can Steal Your Data, I cover the not-so-talked-about ways that people can access your enterprise data. It covers things like you're just GIVING me your data, ways you might not realize you are giving me your data, and how to keep those things from happening.

Currently four super easy ways to get people to fling their data at you without a second thought

  1. put an Amazon or Google logo on it and call it a smart device
  2. self-crashing self-driving cars since technology never fails or hides features
  3. call it social media and get those cool youngsters to do it (when it gets too littered with old folks, create something newer but no less creepy)
  4. get those 'reality TV' people to do it

For extra effectiveness, combine two or more of these.

I know the initial statement was in reference to enterprise data, but folks who are really prolific and who overshare will certainly spill some enterprise beans here and there.

datachick
Level 12

Did you know that the average public social media user is a 40-something female?  The "kids these days" use social media, but in more private things like group chat.  It's all us mid-life folks on Facebook and Twitter.

d09h
Level 16

Count me in the tin foil hat group.  I had to get a background check around the time I was hearing about MySpace and kind of had a Richard Stallman moment.

Fast forward about fifteen years and these look much more palatable than the mainstream platforms:

FreedomBox - Debian Wiki

FreedomBox/Features - Debian Wiki

CollectionSmiley TongueRISM - Free Software Directory

enzocastiglia
Level 7

Good posting.  Looking forward to Thwack Camp.

bmallon
Level 12

Great post, but I have to say "ROI also stands for Risk of Incarceration: Keeping your boss out of jail is part of your job description" is absurdly false. Has ANYONE gone to jail for Equifax getting hacked, then hiding it for months? There are so many times when things happen and nobody even gets their hand slapped much less jail time.

mtgilmore1
Level 13

When was the last time someone went to jail for a data breech.  Get real. 

datachick
Level 12

In some jurisdictions there are privacy laws that make breaches a criminal offense for allowing a breach or disclosure to happen.   In the US there is no current criminal legislation for breaches, you are correct. I believe at some point the US or some states will begin enacting non-trivial penalties for the types of things we have seen with the Equifax breach.  What happened there appears to reflect a clear indifference to the data they stewarded.

rschroeder
Level 21

I'd enjoy seeing corollaries to your favorite mantras, including:

  • Vectors of which users are woefully unaware, which can infect their gear or compromise their data without any user action (e.g.:  Blueborn, and others)
  • Sacrificing security, reliability, and speed for convenience (a.k.a.:  "wireless".  Particularly annoying with the WPA2 hack recently publicized)
  • The many ways social media will bite you today, and reduce your opportunities tomorrow (or why you shouldn't post ANY pictures, opinions, jokes, etc. via social media).  "Regrets . . . I've had a few . . . "
  • How others will use your social media posts to steal your identity.  Quickly, effectively, and for free.
  • When corporate (or personal) processes sacrifice security for profit (e.g.:  not training staff the secure ways to do things, not having a corporate (or personal!) security policy, not enforcing said policies due to cost or inconvenience, not staffing to the need, etc.)

Please keep up the wonderful work and the excellent knowledge sharing, datachick!

datachick
Level 12

This page has a good list of countries that have federal data breach legislation and what the penalties are.  Read carefully; it seems some of the items mix penalties for intruder and stewarding organization.  But there are plenty that have criminal penalties.

Practical Law UK Signon

datachick
Level 12

Great list, thanks. 

I'm in real trouble with your social media ones..

datachick
Level 12

I think it will be a CLM* as a data professional to ignore or be ignorant of security issues in IT due to these laws.  And I'm a firm believer in the snarky ROI definition. It's not just data breaches.  I've worked in safety-focused IT (utilities, healthcare, transportation, defence, etc.).  Keeping my boss out of jail was a big deal.  I have friends whose bosses when to prison for bad things they did to the public.  It's a real thing. 

The legislation in the US or your state will happen.  Maybe not soon.  Maybe in a few years.  We should be ready.

datachick
Level 12

I had a similar discussion on Twitter this week about IT professionals who claim that security can be applied after their work is done and handed over to others.

Idontdosecurity.png

It has generated some interesting discussions about who "does security" and what an IT professional's job is regarding security.  I believe every role in IT (plus business) needs to do security and privacy by design.  From the get go.  These aren't things that can be layered on top of your work at the end of a project.

bmallon
Level 12

Please understand that I mean no disrespect. I can't speak to the claim about the laws in other countries, but here in the US, nobody goes to jail over data breaches and poor security. It's truly a shame, and until we tighten those laws, there will never be accountability for such things. I promise you though, as soon as a CEO's ass is truly on the line for protecting the data, THAT's when security in the US will come to the limelight. How many more data breaches do we have to endure before something is done about it? How was the Equifax breach not the start of a true movement? I guess everyone is too busy watching Harvey Weinstein go down to worry about things like their own identity being stolen. It's truly a shame.

sqlrockstar
Level 17

A quick search on Bing or Google will reveal many incidents of data breaches where someone served jail time. If it can be shown that the CIO was willfully negligent, then yes, they can go to jail.

If you don't believe that anyone can go to jail for a breach, then you should assume an ROI of 0% to be the "get real" amount.

bobmarley
Level 15

I still can't believe nothing is being done about Equifax...

viguy
Level 12

"Mid-Life" folks? I hate to think what that makes me maybe "Past-Life" ??

It is alarming how easily data can be compromised as well as how many times we see little or insufficient steps in place to protect Corporate/Private/Personal data. I mean, yes it's good that we are beginning to hear about the breaches, although I think it is only skimming the surface. Looking at the recent breeches and how far back they go before being announced, this is something that needs to be responded to much quicker. Perhaps better legislation, or as others and myself have stated a more global approach to protecting, preventing, response and disclosure should be brought to bear.

Good Blog and I look forward to both the eBook and the ThwackCamp session.

viguy
Level 12

Something was done.... A large Govt contract was awarded....

Equifax Gets Multi-Million Dollar Contract WIth IRS | Time.com

datachick
Level 12

Me, too!

datachick
Level 12

Good.  Then you can see that I'm actually about 6" taller than sqlrockstar

datachick
Level 12

Because they have announced some Canadians have been impacted, there will likely be penalties for them in Canada. No jail, though

vinay.by
Level 16

Nice write up

tinmann0715
Level 16

Data is soapy. It continues to grow and it is slippery. (Also, water can wipe it out!)

In my world our data "soap" keeps bubbling and bubbling and bubbling. It's out of control. I really enjoyed the session.

d09h
Level 16

datachick  wrote:

Did you know that the average public social media user is a 40-something female?

Yes, and her name is Peggy.

Peggy - Customer Service - Please Hold - YouTube

Peggy (Discover Card) - Wikipedia

rschroeder
Level 21

I'm just disappointed my kids have dropped using Facebook for their primary social media, moving to Snap-Chat and Instagram and others.

It was nice to share their worlds and activities.  Which is, no doubt, why they left FB for the Over-40 crowd.

d09h
Level 16

rschroeder  wrote:

I'm just disappointed my kids have dropped using Facebook for their primary social media, moving to Snap-Chat and Instagram and others.

Not half as disappointed as the kids would be if you got on Snapchat and Instagram to continue where you left off!  I'm sure they like you and all.   Don't take that the wrong way.  'Old people' hanging around is probably eventually a death sentence to a platform.

rschroeder
Level 21

Once they moved out of the house, I stopped requiring them to provide info so I could access their social media sites.  Trust but verify.

Now they're on their own (somewhat--both in college) they have more leeway. However, they know who's still paying the bills, who's legally responsible for their actions.

I never threaten them with revoking their cell phones, but they understand with great surfing comes great responsibility.  And there are consequences from a loving / responsible parent that are designed to help them develop good habits.

I'd love to "KNOW" the impact the Internet has on people--individually and by group.  Unlimited access to knowledge and "images" is a mighty tempting apple . . .  And when no one watches the surfing/searching patterns and habits, socially unacceptable (or even illegal) activities can occur.

Trust, but verify--it's all we can do once we've let the young birds fledge and leave the nest.

karthik.act
Level 10

Waiting for ebook

ecklerwr1
Level 19

Thwackcamp 2017 is now!

rharland2012
Level 15

'Socially unacceptable' - that's an evolving definition. Our generation's views will be laughed at long before we're dead - I think there's already a fair bit of snickering.

rschroeder
Level 21

Yes, when we think about what was socially acceptable a hundred or five hundred years ago, we see changing attitudes.

It may be that part of adults' responsibilities is to evaluate what's good, bad, acceptable, unacceptable, and encourage children and younger adults to understand and examine and consider--and adopt/not adopt.

I'd love to imagine a society with open minds about many types of communications, images, videos--while keeping children from becoming victims of adults who enjoy creating or participating in those things.

When an ankle was scandalous, and then scandal evolved to seeing a calf, then a knee, and then thigh, we can consider the rationality of the mind set.  Some of that scandal may be the responsibility of the beholder and their internal reaction to others' looks or behaviors.

When other cultures deem a man can do a thing or dress one way, while a woman cannot, we can also consider the roots of that tradition.  When we seek the rationale for this that makes sense to a calm and intelligent individual, we may learn, or they may learn--as long as heads don't butt, and calm sharing of ideas and discussion occurs, we can coexist peacefully.

I recall a story of how regular bathing was considered unacceptable by society's elite (European royalty) over a hundred years ago, and now some cultures have evolved to require daily bathing and the absence of natural sweat scents.

Perhaps the only standard we should consider involves being understanding and kind and open-minded when traditions evolve, as long as no one are mentally or physically harmed by that evolution?

Jfrazier
Level 18

tied up at the office and missing ThwackCamp 2017....  <bummed>

brett.holzhauer
Level 12

Jfrazier

Sorry you couldn't be here Jon!

byrona
Level 21

I really love that you point out that "Data protection must begin at requirements time" and "Data protection cannot be an after-production add-on" because all too often I think this is where things fail.  I have watched way too many environments be built without security in mind only to try and bolt it on after the fact and it not only makes the product or environment not as good as it could have been but it also consumes a lot more resources.  This also makes me realize I need to be a lot more verbal about this going into a project. 

Thanks for the great post and it was nice seeing you talk at Thwack Camp!

bobmarley
Level 15

I missed Thwack Camp also, but the time wasn't wasted. I was finally able to install my newly purchased Netflow software

tallyrich
Level 15

There is one of the "root" issues. For years things were built and published with the expectation that the "network" or the "perimeter" would provide security. That hasn't been the actual case for a long time, but things are still being built that way, people are still thinking that way and the "bad guys" are still smiling.

inkedgeekfreak
Level 9

I really want those mantras on a poster, like a list of Commandments. Completely stealing the TRUE acronym for ROI.

datachick
Level 12

That's a good idea.

datachick
Level 12

I would only take us selling this "security by design" message to about 20 people in our org to make a real change.  Especially if we started highlighting the security thoughts we put into our own products.

michael.kent
Level 13

Thwack camp videos now up!

adriana.boyd
Level 9

Thanks, great info to share with my clients!

About the Author
Data Evangelist Sr. Project Manager and Architect at InfoAdvisors. I'm a consultant, frequent speaker, trainer, blogger. I love all things data. I'm an Microsoft MVP. I work with all kinds of databases in the relational and post-relational world. I'm a NASA 2016 Datanaut! I want you to love your data, too.