In an effort to get things done, we often kick healthy security hygiene to the curb in exchange for expediency and convenience. We convince ourselves that we’ll make this one exception and over time, that becomes the default mode of operation.

There are a lot of excuses…

  • I don’t have anything important on my computer
  • I don’t use my email for anything serious
  • It’s a pain to type a password on my phone
  • This is just a temporary marketing survey that will only be online one week
  • There isn’t any proprietary information on that area of the website
  • I only reuse that password on sites I don’t care about

Yet more often than not, those temporary pages, non-critical PC’s and unlocked phones transcend their original purpose and evolve into something more business critical. Not surprisingly, these become the weak link that results in data breaches, identity theft, and financial loss.

In the X-Force 2013 Mid-Year Trend and Risk Report, we have reported on many high profile data breaches, industries affected, and trends regarding attack methods. One constant that we can take away year after year is that many of these breaches could have been avoided by applying a security mindset over one of convenience.

The following are some stories from the trenches. We’ll look at the events behind several breaches and how they could have been avoided.

Major Problems with Micro-sites

Corporate websites are often setup and secured with great care, however the demand for new functions or quick temporary pages, often bypass those controls to get something online.

When the marketing department wants to run a promotional contest and needs a web form to gather names and other personal information, the easiest solution is to often use an existing Content Management System (CMS) or web form system. While CMS vendors have been doing a good job at patching vulnerabilities in their products, there is a vast eco-system of plug-ins and other potentially vulnerable products floating around which are lucrative targets for attackers looking for low hanging fruit.

Recently, a marketing department at the Asian branch of a major US entertainment company was exposed by this exact scenario. A contest site was setup, and given the expanse of the brand, a half a million people entered their personal information with the hopes of winning. After the contest ended, the database of users was never removed and the page remained online. Using a SQL Injection vulnerability, attackers were able to dump all the private user data to a public site.

These types of micro-sites serve a purpose, but should be audited using the same security conventions as the main site. It’s also a good idea to remove public facing databases with customer information once they have exceeded their purpose.

Private Data on Display

Not every data breach is a result of malicious attacker’s hell bent on crime and chaos. In some cases data loss is the result of misconfigurations and human error.

Spreadsheets and data files which contain sensitive information all too commonly find their way onto public facing websites and are then unknowingly indexed by search engines. Such was the case with two different US based universities.

In one, improper security settings during a server migration led to 47,000 records being publicly indexed and viewable for nearly two weeks. At another university, personal information such as Social Security Number, date of birth and contact info was publicly available over a period of 3+ years due to a similar type of file misconfiguration.

In these cases, technology such as Data Loss Prevention (DLP) could be effective in auditing and minimizing this type of risk. More importantly, it is the responsibility of anyone handling sensitive data to ensure that they are doing so responsibly. Employees should use disk encryption and strong identity authentication to ensure that sensitive data stays private.

Convenience on the Payroll Leads to Cyberheist

In another unfortunate security incident, a small family-owned fuel distribution company was robbed of nearly one million dollars out of its payroll fund before being alerted of the charges. The crooks were a highly organized crew out of Eastern Europe who coordinated a sophisticated scheme involving more than 60 “money mules” who unknowingly were laundering the stolen funds.

One of the weak links in this case was the bank who handled the payroll. The bank had a secure system in place which required a form of multi-factor authentication before funds could be transferred. A month before the theft, in an effort to make the process more convenient, the bank changed some of those controls which essentially allowed anyone with a login to make a transfer from any end system. While the bank was not solely responsible, this small change in policy made it much easier for the attackers to gain access.

Banking access, particularly for something as critical as the company payroll, is one area where security should be the primary concern. Having some type of secondary authentication and notification like a call back, text message, or other similar controls before transferring funds can be a critical defense against theft.

Security is a Mindset, Not an Exception

While there are many occurrences of technically and operationally sophisticated attacks going on every day, many data breaches can still be prevented by simply adopting a security mindset.

There are times when convenience trumps complexity and others when dealing with customer data and personally identifiable information requires mindful consideration about how that data is protected.

More from Data Protection

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…