The security industry spends a great deal of time talking about technical issues from SAS, encryption, user access, and server capabilities to entry access points, live monitoring, and video feeds. We might want to also spend some time reading comic books.
In comics, there are super heroes and super villains. As security companies we have been trained to think of every data breach as villainous, but that presumption isn't even close to understanding the psyche of the modern day hacker.
There will always be villainous hackers trying to steal credit card info and break into banks, but we live in the age when most hackers see themselves as the superheroes -- not the villains. The Batman comic series often described Batman as “the defender we need right now, but not the one the we deserve.” Internet vigilantes see themselves in this light: Anonymous and Wikileaks may define themselves as anti-secrecy groups, but you don't see them spending their time trying to uncover Coca-Cola's secret recipe.
Any historian will tell you that demonstrative actions carry more meaning than words can every convey, and if you look at the actions of these somewhat anarchist, but very much citizen and consumer protection oriented hacker groups, their actions paint a compelling picture of what one needs to do to achieve security in this day and age:
Don't be a jerk.
The biggest action you can take to keep your company secure in the age of batman hackers is to simply treat people with respect. If you look at the recent high profile document security breaches, there is one thread tying them all together:
The companies who got hacked were facing allegations that they were doing something unethical, illegal, or -- for lack of a better word -- jerkish.
The targets of Anonymous and Wikileaks are not random: they fit a very specific profile. The biggest data breaches in recent memory are not about financial gain for their hackers, but rather the hackers see themselves as being the last hope for justice in a word overrun with corruption – and so they deal out the only justice they have: internet street justice.
In today's climate, the best security advice was discovered by Isaac Newton in 1687: “For every action there is an equal and opposite reaction.”
So here are some basic rules for data security in the age of Internet vigilante justice:
1. Don't sue your customers and don't disable features people have already paid for.
This is what Sony was doing right before they incurred the wrath of Annonymous: suing their own customers and disabling features from their Playstation product months after customers had bought their units. After the hack, they had an embarrassing public outage of their online game system and millions of customers' contact and financial information was breached.
As of now, it doesn't appear that the credit cards were used (and Anonymous has denied stealing them), as the hack appeared to be more about embarrassing Sony than actually stealing anything.
Most importantly, any analysis of the Sony situation would be amiss if it didn't point out the most interesting and telling part of the whole situation: Nobody's printing “I'm with Sony” t-shirts in iconic orange.
Sony lost all their goodwill by attacking their customers. When Sony were attacked, there was no fan base standing with them. The only people coming to Sony's defense are governments and other multinational corporations; Sony's customers are eerily silent.
2. Don't treat your customers like criminals.
The security industry has only to look at the failures of DRM as a warning to our customers. DRM has failed in every attempt to limit hackers and now only sways public opinion away from the publisher and towards those who commit piracy. Hackers will always find a way.
Just this week, it was announced that the reason that movie theaters' picture quality has declined so significantly in the last year is that the the theater's can't figure out how to navigate Sony projectors DRM for 2D projection. Since the projectors lock down if you don't do it right, most theaters just use the 3D projection mode, which makes 2D movies look pretty lousy but doesn't have DRM. So, what Sony has done is make their DRM so complicated that their legit customers end up using the product in its broken, locked down state. This is like a physical store adding so many layers of security that no one wants to shop there anymore.
If you treat your customers like criminals, your customers will begin to feel that either the blackmarket product (your product with the DRM removed) or a competitor's product is superior to yours.
People honestly do want to reward content producers like actors, musicians, and writers, but they don't want to pay needless aggressive corporation that treat them like criminals in the process. The response to hacking threats shouldn't be more and more draconian restrictions, but better customer service.
3. Don't use “security” as a means to hide corruption.
Wikileak's defenders claim that the US government was using “National Security” as a reason to hide corruption and unethical acts. Again, whether you believe this is true or not, the principle remains, if you don't want your documents exposed for all the world to see, it makes sense to evaluate what's in them. In this day and age, even the appearance of corruption is a security risk.
4. Don't treat your customers with contempt.
In recent weeks there have been continued, unsubstantiated rumors that Wikileaks will publish a giant data dump of Bank of America documents related to mortgage fraud. Meanwhile, Goldman Sacs has had major data leaks to Matt Taibbi of the Rolling Stone that have cumulated into a congressional hearing and have turned the public against the company.
Verizon + ATT are both guilty of this as they try to rewrite contracts already signed to not include tethering or to limit the amount of data that customers can use.
Expect to get hacked and your secrets exposed if you are robo signing foreclosure notices, deceiving your investors, disabling features after people have paid for their product, adding restrictions, or whatever your industry's form of mistreating your customer.
So, we come back to where we started.
Public outrage against your company is the perfect condition for a “vigilante superhero” to emerge and deliver internet justice against your company. Even as we try to secure data and locations, as an industry, we need to be honest that these vigilantes exist (and receive support) because consumers actually need them, even if they are not what consumers deserve. If you want to avoid a data breach, it's important to remember this: companies who are loved by their customers don't often get their secrets exposed. What we really need, what consumers actually deserve, is real self-regulation.
In the age of Internet vigilantes, a ounce of ethics is worth a pound of encryption.