Data here, Data there, data data everywhere. And no – it’s not funny
In the wake of the VTech breach from last week big questions are being raised about Big Data. Which is good because this is a conversation we’ve needed to have for some time. The data just keeps building and I hate to say this but any sense of control we think we may have over it, especially as regards our privacy, is illusory at best. Right now what I see is the Titanic sailing straight into a massive iceberg of insecurity.
It’s beginning to look a lot like what we don’t want for Christmas are those toys and gadgets that connect. Certainly not when you look at the rising numbers from the VTech breach: details, photos and chat logs on 200,000 kids and 5 million parents. You can’t just make that all better.
VTech left other sensitive data exposed on its servers, including kids’ photos and chat logs between children and parents. This data is from the company’s Kid Connect, a service that allows parents using a smartphone app to chat with their kids using a VTech tablet. In online tutorials, the company encourages parents and kids to take headshots and use them in their apps.
Twitter was ablaze with commentary about how this impacts our most vulnerable sector: the kids. Because there is no acceptable level of tracking or exposure when kids factor in. While one hacker demonstrated the extent of the VTech breach without abusing the data, the fact is that there are others out there who have no scruples. Attackers know our failings and weak spots. They’ve invested time, money and effort into finding these. In the cyber realm, the Grinch doesn’t steal Christmas – he goes after identities.
In response, Mark Nunnikhoven recently wrote “The Attack Surface of Data” here on LinkedIn Pulse. In it he re-establishes the point we all need to remember: Data=Risk. The more of it you have, the greater the value it is, then the greater your risk. But people keep putting more data out there, and storing it in places it can’t be kept safe. Mark points out that, as we here know too well, security is an after-thought at best. “Typically security teams are faced with dealing with the aftermath of collection decisions. That’s unfortunate because the easiest way to secure the data is simply not to every have it in the first place.”
He then proposes following “The Principle of Least Data,”
“An organization must collect and store only the data needed to complete their task”
which adapts one of security’s core tenants, least privilege. Because it’s easy and “tempting to collect and store as much as you can”.
But we’re only just seeing the tip of that insecurity iceberg. I gave a talk on Digital Literacy for Tech Soup recently to help non-profits better manage information using digital technology. The concept is that we need a “critical and creative means of interacting with the world” while consuming increasing amounts of data. Critical thinking came up a lot in my research on digital literacy. Ironically, it has failed to address how we handle and store all that data we want to interpret, communicate and manage. And as tech flows into our schools, the focus is on free, not on security. The kids aren’t the only ones learning: marketing has staked its claim with beacons, tracking apps, and getting teachers to sign up kids without parental consent. Free education apps come with a high price tag. Those sites that collect kid’s personal info don’t all have accessible ways to delete account info.
Per FTC Chairwoman Edith Ramirez, “While tracking itself is not new, the ways in which data is collected, compiled stored and analyzed certainly is … Not only can these profiles be used to draw sensitive inferences about consumers, there is also a risk of unexpected and unwelcome use of data generated from cross-device tracking.” I don’t know about you, but that doesn’t give me the warm and cozies.
Eric Rand (@munin) writes about how Big Data alalytics are tools, and as such can be wielded accordingly, given that “math has no morals.” Once there is a tool, anyone can use it. So governmentt or industry backdoors don’t just serve one interest. They potentially serve many. What our government claims to do for our “good” is potentially advantageous to our adversaries. In his blog Brown Hat Security he also says “any data at all that can be traced back to an individual can be conceivably used as evidence to order such force to be used against you.” Data gathered is never gone. It can come back to haunt us. It can be used against us. A permanent record if you will, that can cause considerable damage while putting considerable control in the hands of another. “Whoever controls the flow of information and how it is disseminated controls how the world works”
Jerry Bell and Andrew Kalat host the always informative Defensive Security Podcast, which is one of my go-to resources. In Episode 138 last month, they talked about how we don’t do data right. As ransomware evolves and more damaging variants debut weekly, the risk to data is rising exponentially. “We now have to re-evaluate our backup strategies.” Backups are no longer a mitigation of the original accidental threat vectors they were based on but must now become a primary defense against attacks on files. Factor this into “the ROI and considerations for backup schemes and strategies”. Which changes how much you need to be spending, and how you think about backups. Worth a hard second look? Yes indeed!
But that means we need to step up our game accordingly. Former magistrate and Judge John Facciola, a host on Data Privacy Pioneers, gave these recommendations on a recent show: that anyone holding information must know and adhere to the rules; have a technical infrastructure to conform; have people with expertise; check every tool in use and question it well before adopting it into the process. Take a common sense approach to evaluating the risk and lock it down.
Here’s the hard truth: we’re coming late to the game on this one and we know that we can’t take back what’s already out there. We need to pay way more attention to how we are handling all that data, because attackers are counting on what we are not doing. When it comes to the bottom line, people’s lives are not numbers. Our privacy matters.