My phone and email have been flooded with requests from various media outlets over the past 12 hours since security consultancy Hold Security dropped the news that a Russian gang has stolen more than a billion email account credentials. Rather than respond to each of them in turn, allow me to add a bit of perspective here in the most direct way possible: The Q&A.
An examination of the malware used in the Target breach suggests that the attackers may have taken advantage of a poorly secured feature built into a widely-used IT management software product that was running on the retailer’s internal network.
With all of the media and public fascination with threats like Stuxnet and weighty terms like “cyberwar,” it’s easy to overlook the more humdrum and persistent security threats, such as Web site (in)security. But none of that should excuse U.S. military leaders from making sure their Web sites aren’t trivially hackable by script kiddies.
As a rule, I tend to avoid writing about reports and studies unless they offer truly valuable and actionable insights: Too often, reports have preconceived findings and that merely serve to increase hype and drum up business for the companies that commission them. But I always make an exception for the annual data breach report issued by the Verizon Business RISK team, which is so chock full of hype-slaying useful data and conclusions that it is often hard to know what not to write about from the report.