DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Data Engineering
  3. Databases
  4. Data Breaches: All Your Fault

Data Breaches: All Your Fault

Learn more about the most recent data breaches.

Grant Fritchey user avatar by
Grant Fritchey
·
Apr. 29, 19 · Presentation
Like (2)
Save
Tweet
Share
3.59K Views

Join the DZone community and get the full member experience.

Join For Free

One part of my job is to understand the compliance landscape. This means that I read a lot about GDPR and similar laws. I also have to read a lot about data breaches in order to understand how and where laws like the GDPR apply to them, and how they happened so that I can better prepare people through good DevOps practices to prevent them.

The more I read about data breaches, the more I realize:

It’s you. It’s your fault.

Don’t believe me? Let’s walk through a few recent data breaches together.

Passwords? We Don’t Need Stinking Passwords.

The Collection #1 data that represents 21 million unique email addresses and passwords for a combination of up to more than 700 million were found by Troy Hunt… on a data store with no password. Granted, this wasn’t a business. It’s actually a hacker collection of previous data breaches, but still.

Fine, let’s talk about business then. How about 24 million loan records, including bank account information, email, phones, social security numbers, and all the rest. Yeah, that was sitting on an Elasticsearch database with no password of any kind. Oh, and the S3 storage was completely open, too. Security? Is that still a thing?

How about exposing your entire client list because you left the password off the database (Elasticsearch again, is it hard to add a password to Elasticsearch). How about stacks of resumes (ElasticSearch, again, and MongoDB).

Those are just breaches from this year. If we go back, we can find more and more. Please, put a password on your systems. Speaking of passwords…

Passwords. They’re my only weakness.

According to IdAgent, 63 percent of all data breaches come from weak or stolen passwords. But hey, don’t believe them. Let’s talk to the Dudley Council who has evidently not had a data breach (but how do they know), but nonetheless is reporting poor security in their systems.

What about getting hacked in your home. Nest is actively encouraging everyone to start using stronger passwords. How about 800,000 people’s blood data?

SQL Injection? I thought you were dead.

We’ve known about SQL Injection and the possibilities it opens up for hacking since 1998. That’s longer than my kids have been alive. Surely, in all that time, we’ve figured out how to deal with SQL Injection, right?

Nope.

How about 1.3 million records breached, from a college no less (can you say FERPA) due to SQL Injection. What about if you’re using Magento (better get that patched)? Are you a gamer? Might want to check your Epic Games account then, because they’ve been hacked through SQL Injection. Toyota has suffered from an attack in Tokyo that came from SQL Injection, not Godzilla.

PATCHES!

And upgrades. You know main stream support for SQL Server 2014 is ending soon right?

This one is actually tough. This blog got hacked a couple of years ago because I wasn’t keeping up with security patches. Yeah, I’m telling you that it’s not just you, it’s me too. It’s us. Patch management is the first line of defense to protect against data breaches, and we’re not doing it.

How do I know (except for my own data breach)?

Remember the Equifax data breach? The information about exactly how everything went down almost two years ago is just now getting now. What do we know? They found the breach AFTER they applied a patch that they had put off for over a year.

What Do We Do Now? Game Over!

None of this addresses phishing, insider hacks, accidentally losing laptops and all the other things that are going wrong and causing these data breaches.

I get it. It’s probably not you directly. You told the boss that putting the database out without a password was a bad idea. You showed the organization how all the code they were writing was leading to exposure through SQL Injection. You’ve got a password that’s a little stronger than ‘password’ or ‘123456’. What else can you do?

It’s all about education. Sure, pass on the link to this blog or to one of the data breaches listed above. However, you, and your organization, have to do more. My strongest piece of advice? First, do a full-blown security assessment as outlined in the GDPR. Next, start implementing smart processes using DevOps as a model.

Let’s fix the things that we can in order to make these types of data breaches a thing of the past.

Data (computing) Database Fault (technology) sql IT

Published at DZone with permission of Grant Fritchey, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Data Mesh vs. Data Fabric: A Tale of Two New Data Paradigms
  • Kotlin Is More Fun Than Java And This Is a Big Deal
  • How To Avoid “Schema Drift”
  • Problems of Cloud Cost Management: A Socio-Technical Analysis

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: