I had no intention to write any blog posts during the holidays or, God forbid, do any predictions for the next year (look how relevant last year’s predictions turned out to be). However, an interesting story involving Ticketmaster, a large American ticket sales company, has caught my eye and made me think once again about my career in cybersecurity.
The whole story goes all the way back to 2013, but the details have only recently been unsealed after the company has entered into a plea agreement and agreed to pay a $10 million fine for illegal access to a competitor’s computer system. Apparently, a former employee of the said (undisclosed) competitor switched to Ticketmaster in 2013, taking with him usernames and passwords for his former employer’s computer systems. On multiple occasions between 2013 and 2015, he and his new Ticketmaster colleagues illegally accessed that company’s computers to assess their competitor’s products and to “steal back” their customers. According to the article, Ticketmaster used this data to gain a competitive advantage while being aware of the illegal tactics and even promoted the employee.
Can't see the forest for the trees
Now, I realize that this is old news, and it will certainly be overshadowed by other, hotter stories like the recent SolarWinds scandal. However, it is nevertheless worth looking at with more attention since, in a way, it much better represents the current state of cybersecurity as a whole. Pardon me for using a silly analogy, but cybersecurity experts sometimes remind me of the fans of zombie movies. I’m pretty sure everyone watching such a film imagines themselves as the main protagonist defending against a horde of monsters using a truck-mounted machine gun. However, In the very unlikely event of a real zombie apocalypse, most of us will surely end up as an insignificant part of that very horde…
In a similar way, discussing how we should defend against the latest highly advanced attack of another state-sponsored group has very little relevance for the risks an average company is facing daily, and designing your security architecture around the most current buzzword is not a wise strategy, perhaps even less wise than ignoring security risks completely. I’m not going to guess which of the extremes was the culprit of the Ticketmaster scandal, but you don’t have to be an expert to see that the victim company cannot be rated high on the cybersecurity maturity scale.
Not de-provisioning users that have left the company, using passwords without any multifactor authentication, and apparently not having any monitoring tools in place to detect illegal access – these are not some complicated technologies, but the very basic security hygiene rules. Why bother inventing new ways to fight sophisticated Russian or North Korean hackers if any malicious insider can easily exploit your systems for years without causing any suspicion? Maybe cybersecurity vendors, as well as the industry press and analysts should perhaps leave their ivory towers for a moment and focus their efforts on the lowest common denominator among their customers?
A dangerous precedent
There is another, even more worrying aspect in this case, however. Ticketmaster, a large company and a subsidiary of an even larger Live Nation conglomerate with billions in yearly revenue, was basically slapped on the wrist with a mere $10 million fine. Doesn’t it set a precedent that shows that corporate espionage and theft of intellectual property using the tried and trusted malicious insider approach can be considered a valid business practice, maybe unethical but still undeniably profitable? It took years to create reasonably comprehensive and harsh regulations for protecting personal information (with GDPR and such), but what about other types of sensitive data?
I have written about the “cargo cult of cybersecurity” earlier, but what we have here is even worse – that’s cybersecurity’s Stone Age! I really hope that problems like this will be the focus of more discussions in 2021 and not just the trendiest buzzwords like ransomware or supply chain security. Because if they won’t, the worst of cybersecurity predictions for the next year will turn out to be true: nothing will ever change.