|Read the Digest in
You need the free
In this issue:
Browse through our useful links.
See our article archive for complete articles.
Sign up for your free subscription.
Visit our Continuous Availability Forum.
Check out our seminars.
Check out our writing services.
Check out our consulting services.
When Will We Ever Learn?
When will we ever learn that hackers are smarter than us? No matter what the depth of defenses that we employ to keep our systems and our data safe, it seems just a matter of time before some malicious attacker breaches them. Even our laws don’t help – most attacks originate from overseas, and tracking the perpetrators is nearly impossible.
Our data is especially susceptible. Entire private darknets have sprung up on the Internet for the sale of everything from credit-card data to Social Security numbers. The hacks of credit-card data at Target and Home Depot remain fresh in our minds.
The recent theft from the U.S. Government’s Office of Personnel Management (OPM) of a wide range of personal data belonging to over 20 million Americans should be a wakeup call. This hack has affected almost one in every ten adults in the United States!
The best defense against data thefts is to make the data useless to the attacker. All data should be encrypted in-flight and at-rest. Until our systems are updated to do this, expect data attacks to continue. We stress this topic in our seminars on High and Continuous Availability.
Dr. Bill Highleyman, Managing Editor
In the June 2015 issue of the Availability Digest, “A Massive Hack on the U.S. Government” described the database hack of the Office of Personnel Management (OPM). We reported that the personal information of 4 million current and former government employees had been stolen.
That number was a gross understatement. After further investigation, the people whose personal information was stolen rose to 21.2 million!
The hack was actually against two databases, one which contained all of the Government’s security clearance applications since the year 2000 and another that contained personal information on government employees.
The OPM is suffering from age syndrome. The hacked databases are stored on forty-seven servers, with software dating back to the 1960s. The servers are virtually impossible to update, and Congress has provided no funding for replacements.
However, even if all systems were upgraded, hackers would continue to prove that they are smarter than us. Systems will continue to be hacked and data stolen. The only certain defense (well, almost certain) is to make the data useless to an attacker. Encryption must be used for all data in place and in motion.
IT outage statistics show that about 40% of all system outages are caused by humans and that about 70% include humans in one way or another. Human frailties combined on Wednesday, July 8, 2015, to take down three major systems – the New York Stock Exchange, United Airlines, and the Wall Street Journal.
At first, many were convinced that these failures were the result of a massive coordinated hacking attack. Just the previous evening, the Anonymous hacking group had tweeted “Wonder if tomorrow is going to be bad for Wall Street … we can only hope.”
However, the detailed descriptions of the faults put this speculation to rest. The NYSE outage was caused by an improper software upgrade. The UA glitch was caused by a defective router. The WSJ fault was caused by a massive overload of queries concerning the NYSE failure.
Human beings have their fingers into most causes of IT failures, whether it be an overt action like typing the wrong command or a management decision that leave IT systems vulnerable. In each of the outages described in this article, proper human involvement could have avoided the outage.
In January 2015, hackers accessed customer information from United Airlines’ MileagePlus Frequent Flyer program. The hackers booked up to three dozen flights using mileage points from the Frequent Flyer accounts before United detected the attack.
United has now established a bug bounty program in which it will pay security researchers (“white-hat” hackers) frequent-flyer miles for information on security flaws. Depending upon the nature of the flaw, rewards range from 50,000 frequent-flyer miles to one million frequent-flyer miles. In just the few months that it has run its bug bounty program, United has already awarded millions of frequent-flyer miles to hackers who have uncovered gaps in the carrier’s web security. It has paid one million miles to each of two researchers.
As it has always done, United continues to thoroughly test its systems for security; and it engages cybersecurity firms to keep its websites secure. With the bug bounty program, researchers can flag problems before malicious hackers can exploit them. United finds that this approach is less costly than hiring outside consultants.
Organizations face increasing demands for “always on” availability. How are they faring? A 2014 survey by Veeam Software, a provider of data center availability products, explores this topic.
The survey, performed in conjunction with Vanson Bourne, an independent market research organization, is based on interviews with 760 senior IT decision makers in ten countries. The interviewees represent companies in retail, distribution, transportation, manufacturing, financial services, and business and professional services, among others.
The survey concludes that the system and data-availability requirements for companies is ever-tightening and that most companies are struggling to keep up.
Pointing out that an organization has an average of thirteen downtime incidents per year, the survey reveals the average downtime and data loss for mission-critical and non-mission-critical applications. It presents the costs that these outages impose on an organization.
A challenge every issue for the Availability Digest is to determine which of the many availability topics out there win coveted status as Digest articles. We always regret not focusing our attention on the topics we bypass.
Now with our Twitter presence, we don’t have to feel guilty. This article highlights some of the @availabilitydig tweets that made headlines in recent days.
Sign up for your free subscription at http://www.availabilitydigest.com/signups.htm
Would You Like to Sign Up for the Free Digest by Fax?
Simply print out the following form, fill it in, and fax it to:
+1 908 459 5543
The Availability Digest is published monthly. It may be distributed freely. Please pass it on to an associate.
Managing Editor - Dr. Bill Highleyman firstname.lastname@example.org.
© 2015 Sombers Associates, Inc., and W. H. Highleyman