…that LinkedIn did not recognize its databases had been compromised until it was informed through public channels provides further evidence that the company didn’t adhere to industry standards.
I do not agree with this assessment. It is possible to be compromised and simply not have a positive sign that it has occurred – until the results are circulating publicly or others notice that there are symptoms of a breach.
We’re seeing information systems develop the same kind of complexity that biological systems exhibit – one to one, one to many, and many to one relationships were common…but now we’re looking at behaviours of complex systems no one party understands. Rather than concrete evidence of changes or breaches we have insinuations of breaches. Smart actors are using heuristic techniques to gain entry without tripping defensive responses, and there is no way to guarantee a breach can’t occur, even with “industry standard” projections.
What do you do when your “industry standard” protections must evolve weekly?
I’m interested to see what level of protection LinkedIn purports to adhere to, but even if it’s good enough there will be another breach. How do we plan for that reality?
I’m curious about the practical expression of these skills in the enterprise. Every breach I’ve been privy to or personally uncovered has occurred due to the lack of maintenance in one part of the system, lack of attention to detail, or poor process (A problem is found but is unreportable as noone will act on the information or take ownership of the issue, or worse, profess ignorance out of fear for taking blame as the first responder). Any of these familiar? They’re solvable now.
So hopefully the problem at LinkedIn *is* the latter (process, policy, or technical failures), because the former – sophisticated breaches that are coming from all angles using co-operatively integrated components (inside the network, outside the network, human and robot/AI players) is concerning, yet incredibly exciting. We’re seeing complex networks behaving like biological systems and I expect data protection and AV vendors to step up to the plate. Just don’t expect the breaches to stop…they’ll inevitably continue as long as we present high value targets.