Security is a mindset, not an exception

In an effort to get things done, we often kick healthy security hygiene to the curb in exchange for expediency and convenience. We convince ourselves that we’ll make this one exception and over time, that becomes the default mode of operation.

There are a lot of excuses…

I don’t have anything important on my computer
I don’t use my email for anything serious
It’s a pain to type a password on my phone
This is just a temporary marketing survey that will only be online one week
There isn’t any proprietary information on that area of the website
I only reuse that password on sites I don’t care about

Yet more often than not, those temporary pages, non-critical PC’s and unlocked phones transcend their original purpose and evolve into something more business critical. Not surprisingly, these become the weak link that results in data breaches, identity theft, and financial loss.

In the X-Force 2013 Mid-Year Trend and Risk Report, we have reported on many high profile data breaches, industries affected, and trends regarding attack methods. One constant that we can take away year after year is that many of these breaches could have been avoided by applying a security mindset over one of convenience.

The following are some stories from the trenches. We’ll look at the events behind several breaches and how they could have been avoided.

Major Problems with Micro-sites

Corporate websites are often setup and secured with great care, however the demand for new functions or quick temporary pages, often bypass those controls to get something online.

When the marketing department wants to run a promotional contest and needs a web form to gather names and other personal information, the easiest solution is to often use an existing Content Management System (CMS) or web form system. While CMS vendors have been doing a good job at patching vulnerabilities in their products, there is a vast eco-system of plug-ins and other potentially vulnerable products floating around which are lucrative targets for attackers looking for low hanging fruit.

Recently, a marketing department at the Asian branch of a major US entertainment company was exposed by this exact scenario. A contest site was setup, and given the expanse of the brand, a half a million people entered their personal information with the hopes of winning. After the contest ended, the database of users was never removed and the page remained online. Using a SQL Injection vulnerability, attackers were able to dump all the private user data to a public site.

These types of micro-sites serve a purpose, but should be audited using the same security conventions as the main site. It’s also a good idea to remove public facing databases with customer information once they have exceeded their purpose.

Private Data on Display

Not every data breach is a result of malicious attacker’s hell bent on crime and chaos. In some cases data loss is the result of misconfigurations and human error.

Spreadsheets and data files which contain sensitive information all too commonly find their way onto public facing websites and are then unknowingly indexed by search engines. Such was the case with two different US based universities.

In one, improper security settings during a server migration led to 47,000 records being publicly indexed and viewable for nearly two weeks. At another university, personal information such as Social Security Number, date of birth and contact info was publicly available over a period of 3+ years due to a similar type of file misconfiguration.

In these cases, technology such as Data Loss Prevention (DLP) could be effective in auditing and minimizing this type of risk. More importantly, it is the responsibility of anyone handling sensitive data to ensure that they are doing so responsibly. Employees should use disk encryption and strong identity authentication to ensure that sensitive data stays private.

Convenience on the Payroll Leads to Cyberheist

In another unfortunate security incident, a small family-owned fuel distribution company was robbed of nearly one million dollars out of its payroll fund before being alerted of the charges. The crooks were a highly organized crew out of Eastern Europe who coordinated a sophisticated scheme involving more than 60 “money mules” who unknowingly were laundering the stolen funds.

One of the weak links in this case was the bank who handled the payroll. The bank had a secure system in place which required a form of multi-factor authentication before funds could be transferred. A month before the theft, in an effort to make the process more convenient, the bank changed some of those controls which essentially allowed anyone with a login to make a transfer from any end system. While the bank was not solely responsible, this small change in policy made it much easier for the attackers to gain access.

Banking access, particularly for something as critical as the company payroll, is one area where security should be the primary concern. Having some type of secondary authentication and notification like a call back, text message, or other similar controls before transferring funds can be a critical defense against theft.