The Beginning Of Wisdom

[Steven H. Blackwell]

“What's in a name? that which we call a rose,


By any other name would smell as sweet.”

—Juliet (Romeo and Juliet, Act II, Scene 2, William Shakespeare)—

“The beginning of wisdom is to call things by their proper name.”

—Confucius—

An entire series of recent studies published by well-known and well renown international security analysis and information industry firms have all made, in slightly varying language, the following key points:

• Data housed in files in organizations are under relentless and persistent attack by a variety of threat agents including criminals, nation states, so-called “hacktivists”, and disgruntled current or former employees.
• Organizations of all different sizes are vulnerable; however, smaller businesses and organizations are particularly susceptible to data breaches because they have fewer resources with which to protect themselves and are often in the supply chain of larger organizations that may house particularly valuable data. This is not to say that smaller organization themselves do not also have the same type of particularly valuable data.
• Financial gain, industrial espionage focused on the theft of intellectual property, and embarrassment or disruption of organization activity are three principal motivations driving threat agents to undertake attacks that result in data breaches.
• The data are the target, not networks or web sites, or other digital infrastructure items. It’s the data.

The data housed in FileMaker databases and resident in organizations using FileMaker Pro and FileMaker Server fall squarely into this realm. So contrary to Juliet’s assertion, we need to adopt the Confucian approach and call this by its proper name.

FileMaker databases are susceptible to attack, and the data in them can be compromised and stolen or altered or manipulated by unauthorized persons. The sooner the community recognizes this, and the sooner developers and administrators recognize this, the sooner we can begin a serious and focused discussion about how to identify the likely attackers, identify what vulnerabilities in the software they might exploit, assess the likely risk of their doing so, and develop plans to mitigate the adverse impact of successful attacks.

What type data are vulnerable? The answer is: all types. Some categories are more valuable than others; these are likely high on the list of any attacker. Financial data, personally identifiable information, intellectual property, business process information, and organizational IT data are major targets.

What type organization is most at risk? Both small and large organizations in the for-profit, the not-for-profit, and the government and education sectors are targets. While certain types of attacks tend to focus on different sized organizations, all are vulnerable. And since smaller organizations frequently lack the resources or the processes to protect themselves, they can be especially hard hit.

FileMaker Pro database systems can be found in every type organization imaginable of every size and description in well over 100 countries on seven continents. Some of these databases are well-defended; others are defenseless. We in the developer community are lagging in our efforts to address the seriousness and pervasiveness of the threats to FileMaker databases found in all types of organizations, large and small, across a range of business segments.

One sentence in one of those reports[2] I referenced at the beginning of this post stands out as a stark reminder:

“Some interpret attack difficulty as synonymous with the skill of the attacker, and while there’s some truth to that, it almost certainly reveals much more about the skill and readiness of the defender.”

It’s time for the developer community to get busy about and to get serious about protecting information stored in the systems we create. What information do your clients have that needs protecting? And what happens if you don’t do that? We will explore those two questions, along with how to determine threats and risks, in coming entries on this BLOG.

Verizon, 2013 Data Breach Investigations Report

Mandiant, 2013 M Trends Threat Report

Solutionary, 2013 Global Threat Intelligence Report (GTIR)

Sophos, Security Threat Report 2013

[2] Verizon Report p. 48

View the full article