The growing threat of collateral hacking

Collateral hacking threatens normally low-risk businesses

A small, family-owned hardware store sits on the main street of a quiet town in rural Michigan. During its peak season, the company serves about 40 customers a day for an average sale of US$9; roughly half of them pay by credit card. All of the company's credit card transactions feed digitally through a bank in Detroit.

From a hacking perspective, this store doesn't even warrant a blip on a digital thug's radar. So imagine the surprise when customers of mom-and-pop stores across the country got a letter last year telling them their credit card information had been exposed in a bank compromise. In other words, these stores were collaterally hacked.

Collateral hacking occurs when an entity trusted with critical data is compromised. It's becoming a huge threat as low-risk businesses pool their data and create an aggregation point that's an attractive target for attackers. Beyond targeted hacks, the consequence of having data duplicated by an external entity is disturbing. Consider the number of recent incidents involving data being accidentally exposed by people not necessarily trying to steal it (think bank backup tapes and the U.S. Department of Veterans Affairs' hardware theft.)

An unexpected degree of risk is taken when data goes external. This includes data going to a software-as-a-service provider (for example, Salesforce.com or ADP), an error log with customer data going to a software vendor or systems integrator, or credit card data for a transaction that gets pushed through a bank.

Aggregation can do weird things to risk economics. Take crash dumps or logs. Unless there's a big incentive to hack into your company specifically, the chance of someone plowing through your application crash dumps or error logs is pretty small. But imagine targeting a systems integrator that has tens of thousands of these logs. It's likely to be a fairly simple data mining exercise to scan through these files quickly and use automation to look for credit card numbers.

The key to curbing collateral hacking is to find out where your company's data is flowing. Think about partners, service providers, software vendors, anything outsourced -- for example, payroll or credit card processing. Then ask, "What do I know about how data is treated when it gets there?" Given enough important data in one place, your data could make one of your partners a more attractive target than the Pentagon.

Next, you need to assess how that data is handled. It's becoming increasingly acceptable to augment service-level agreements to include requirements for external security audits and staff training around security.

In an ironic twist, it tends to be the most critical data in small and midsize companies, such as credit card transactions, payroll information and customer contacts, that gets sent to service providers. With the risk of collateral hacking looming, companies need to look with a paranoid eye at service providers that process this critical data.

Choose wisely; miffed customers tend to blame the guy at the store counter; not the back-end organization that ultimately lost a massive amount of data.

Thompson is a well-known book author on computer security. He can be reached at hugh@hughthompson.com.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Hebert H. Thompson

Network World
Show Comments

Essentials

Brother MFC-L3745CDW Colour Laser Multifunction

Learn more >

Mobile

Exec

Budget

Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?