"All businesses, including eBay need to wake up to these risks and adopt stronger authentication for both employees and users of their services or sites. The answer lies in two-factor authentication – something you have and something you know. We're already familiar with this and use it in the form of chip and PIN everyday with our bank cards. It's now time for businesses and society to wake up to the fact that passwords are dead and we need a more secure alternative." Richard Parris, CEO and founder of Intercede.
"The most effective way to practically defend systems against this kind of threat is to protect data at its source and provide access on a true need to know basis, which can be achieved by implementing encryption combined with tight access controls as a method of carefully separating users' network access from their ability to actually read, access and copy data. That way, if user accounts are compromised – as seems to be happening on almost a daily basis – there are more effective controls in place to help mitigate the damage that can be done." Paul Ayers, VP EMEA at enterprise data security firm Vormetric.
Is Behavioural the way forward?
"As the latest high-profile organisation to fall victim to a data breach incident, eBay provides another warning to all organisations that the threat to businesses is continuing to grow. The fact that employee accounts were compromised in this case is concerning, as robust controls should be in place around these credentials, including behavioural monitoring systems which flag any suspicious behaviour in real-time. While it remains to be seen how these credentials were compromised – whether via a successful phishing email or the involvement of a third party – it is unfortunately unsurprising that these incidents continue to occur. " Ben Densham, CTO of independent cyber security consultancy, Nettitude.
"Cyber defenses are changing and moving into the 21st century. Organisations are starting to understand that there is a need to watch every entry point, that may be a port, a protocol or egress point. Matching that with the normal behaviour for a network and setting alarms off, when personal information is moving out of an organisation, will start to turn the tide on data breaches. In addition to securing all network data channels, companies must also focus on securing social aspects of security. Social engineering or common mistakes such as giving out a password to a co-worker are all too common." Paul Martini, CEO at iboss Network Security.
"Those responsible for IT security must trust no-one and nothing. Not even the fridge. Collective mistrust is no longer a sign of paranoia but has become a guiding principle of IT. Every application and every piece of hardware can now be hacked so IT security has to mistrust everything and everyone. Not customers, not governments and especially not employees. They hold the key to so much and the stakes are so high." Wieland Alge, VP and General Manager EMEA, Barracuda Networks.
- What are your thoughts about this security debacle? What should/could have Ebay done to prevent it, if any.
