I think that I’ve become immune to the shock value of the average cyberattack – the one involving my personal records, excepted, of course. It’s not that the attacks aren’t devastating, but I’ve reached a point where I expect every organization to be breached at some point; it is simply a matter of how it was done and what was stolen.
And then came the story of the St. Louis Cardinals and the Houston Astros.
I love baseball, and I know that the Cardinals are a perennially good team and that the Astros are doing surprisingly well after several years of futility. What type of edge were the Cardinals expecting to get from the Astros database? This is baseball, for goodness sake, not defense secrets or a treasure trove of financial data. But, as Ken Westin, senior security analyst for Tripwire, told me in an email:
Hacking isn’t always about stealing credit cards, but can also be about access to information to provide a competitive edge. We have increasingly seen this behavior in business where hackers steal and sell information to competitors or investors to give them an edge. A baseball team hacking another team is a logical extension of this type of attack, as it is in the end a business as well, with high financial stakes. By accessing information on players, their goal is to give themselves a competitive edge.
Baseball is all about statistics, more than any other sport. There are pitchers who spend hours studying the tendencies of the hitters they will face in their next outing – which pitches do they swing at, where in the count do you think you can get a player to chase a bad pitch, the percentage of swings and misses on curve balls. Position players do the same type of thing, as do managers and hitting coaches and scouts. In terms of raw information, what the Cardinals executive wanted was the baseball equivalent of a stack of Social Security numbers. That’s reason number one why we should be paying close attention to this story: We can’t predict what a hacker will consider valuable, so we have to protect everything.
Reason number two is even more important within information security. It shows the risks of the insider threat caused by disgruntled employees, and it shows what happens when a person is really lazy about passwords. The central figure here is a man named Jeff Luhnow, who was once with the Cardinals and is now the general manager for the Astros. As Time explained:
Investigators believe Cardinals employees used a master list of passwords previously employed by Luhnow when he worked for the Cardinals to hack into the system. Ten months of Astros’ internal trade talks were leaked online last year, which sparked the investigation.
Why do you use the same passwords across organizations? Why was there a master list of passwords? I can’t help but shake my head here over the massive security fails throughout this story, and all without any kind of system in place to better protect that sensitive data.
But in the end, it shows just how easy it is for a security breakdown to occur. Not only is there a need for companies to do a better job with creating security exit interviews – including changing passwords and shutting down network access – but there is also a need for companies to improve security when a new employee comes on board – and in this case, that would include generating fresh passwords that need to be changed frequently.
Yes, for the first time in a long time, a cyberattack has stunned me.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba