October 24, 2013 By Jason Kravitz 4 min read

In an effort to get things done, we often kick healthy security hygiene to the curb in exchange for expediency and convenience. We convince ourselves that we’ll make this one exception and over time, that becomes the default mode of operation.

There are a lot of excuses…

  • I don’t have anything important on my computer
  • I don’t use my email for anything serious
  • It’s a pain to type a password on my phone
  • This is just a temporary marketing survey that will only be online one week
  • There isn’t any proprietary information on that area of the website
  • I only reuse that password on sites I don’t care about

Yet more often than not, those temporary pages, non-critical PC’s and unlocked phones transcend their original purpose and evolve into something more business critical. Not surprisingly, these become the weak link that results in data breaches, identity theft, and financial loss.

In the X-Force 2013 Mid-Year Trend and Risk Report, we have reported on many high profile data breaches, industries affected, and trends regarding attack methods. One constant that we can take away year after year is that many of these breaches could have been avoided by applying a security mindset over one of convenience.

The following are some stories from the trenches. We’ll look at the events behind several breaches and how they could have been avoided.

Major Problems with Micro-sites

Corporate websites are often setup and secured with great care, however the demand for new functions or quick temporary pages, often bypass those controls to get something online.

When the marketing department wants to run a promotional contest and needs a web form to gather names and other personal information, the easiest solution is to often use an existing Content Management System (CMS) or web form system. While CMS vendors have been doing a good job at patching vulnerabilities in their products, there is a vast eco-system of plug-ins and other potentially vulnerable products floating around which are lucrative targets for attackers looking for low hanging fruit.

Recently, a marketing department at the Asian branch of a major US entertainment company was exposed by this exact scenario. A contest site was setup, and given the expanse of the brand, a half a million people entered their personal information with the hopes of winning. After the contest ended, the database of users was never removed and the page remained online. Using a SQL Injection vulnerability, attackers were able to dump all the private user data to a public site.

These types of micro-sites serve a purpose, but should be audited using the same security conventions as the main site. It’s also a good idea to remove public facing databases with customer information once they have exceeded their purpose.

Private Data on Display

Not every data breach is a result of malicious attacker’s hell bent on crime and chaos. In some cases data loss is the result of misconfigurations and human error.

Spreadsheets and data files which contain sensitive information all too commonly find their way onto public facing websites and are then unknowingly indexed by search engines. Such was the case with two different US based universities.

In one, improper security settings during a server migration led to 47,000 records being publicly indexed and viewable for nearly two weeks. At another university, personal information such as Social Security Number, date of birth and contact info was publicly available over a period of 3+ years due to a similar type of file misconfiguration.

In these cases, technology such as Data Loss Prevention (DLP) could be effective in auditing and minimizing this type of risk. More importantly, it is the responsibility of anyone handling sensitive data to ensure that they are doing so responsibly. Employees should use disk encryption and strong identity authentication to ensure that sensitive data stays private.

Convenience on the Payroll Leads to Cyberheist

In another unfortunate security incident, a small family-owned fuel distribution company was robbed of nearly one million dollars out of its payroll fund before being alerted of the charges. The crooks were a highly organized crew out of Eastern Europe who coordinated a sophisticated scheme involving more than 60 “money mules” who unknowingly were laundering the stolen funds.

One of the weak links in this case was the bank who handled the payroll. The bank had a secure system in place which required a form of multi-factor authentication before funds could be transferred. A month before the theft, in an effort to make the process more convenient, the bank changed some of those controls which essentially allowed anyone with a login to make a transfer from any end system. While the bank was not solely responsible, this small change in policy made it much easier for the attackers to gain access.

Banking access, particularly for something as critical as the company payroll, is one area where security should be the primary concern. Having some type of secondary authentication and notification like a call back, text message, or other similar controls before transferring funds can be a critical defense against theft.

Security is a Mindset, Not an Exception

While there are many occurrences of technically and operationally sophisticated attacks going on every day, many data breaches can still be prevented by simply adopting a security mindset.

There are times when convenience trumps complexity and others when dealing with customer data and personally identifiable information requires mindful consideration about how that data is protected.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today