October 24, 2013 By Jason Kravitz 4 min read

In an effort to get things done, we often kick healthy security hygiene to the curb in exchange for expediency and convenience. We convince ourselves that we’ll make this one exception and over time, that becomes the default mode of operation.

There are a lot of excuses…

  • I don’t have anything important on my computer
  • I don’t use my email for anything serious
  • It’s a pain to type a password on my phone
  • This is just a temporary marketing survey that will only be online one week
  • There isn’t any proprietary information on that area of the website
  • I only reuse that password on sites I don’t care about

Yet more often than not, those temporary pages, non-critical PC’s and unlocked phones transcend their original purpose and evolve into something more business critical. Not surprisingly, these become the weak link that results in data breaches, identity theft, and financial loss.

In the X-Force 2013 Mid-Year Trend and Risk Report, we have reported on many high profile data breaches, industries affected, and trends regarding attack methods. One constant that we can take away year after year is that many of these breaches could have been avoided by applying a security mindset over one of convenience.

The following are some stories from the trenches. We’ll look at the events behind several breaches and how they could have been avoided.

Major Problems with Micro-sites

Corporate websites are often setup and secured with great care, however the demand for new functions or quick temporary pages, often bypass those controls to get something online.

When the marketing department wants to run a promotional contest and needs a web form to gather names and other personal information, the easiest solution is to often use an existing Content Management System (CMS) or web form system. While CMS vendors have been doing a good job at patching vulnerabilities in their products, there is a vast eco-system of plug-ins and other potentially vulnerable products floating around which are lucrative targets for attackers looking for low hanging fruit.

Recently, a marketing department at the Asian branch of a major US entertainment company was exposed by this exact scenario. A contest site was setup, and given the expanse of the brand, a half a million people entered their personal information with the hopes of winning. After the contest ended, the database of users was never removed and the page remained online. Using a SQL Injection vulnerability, attackers were able to dump all the private user data to a public site.

These types of micro-sites serve a purpose, but should be audited using the same security conventions as the main site. It’s also a good idea to remove public facing databases with customer information once they have exceeded their purpose.

Private Data on Display

Not every data breach is a result of malicious attacker’s hell bent on crime and chaos. In some cases data loss is the result of misconfigurations and human error.

Spreadsheets and data files which contain sensitive information all too commonly find their way onto public facing websites and are then unknowingly indexed by search engines. Such was the case with two different US based universities.

In one, improper security settings during a server migration led to 47,000 records being publicly indexed and viewable for nearly two weeks. At another university, personal information such as Social Security Number, date of birth and contact info was publicly available over a period of 3+ years due to a similar type of file misconfiguration.

In these cases, technology such as Data Loss Prevention (DLP) could be effective in auditing and minimizing this type of risk. More importantly, it is the responsibility of anyone handling sensitive data to ensure that they are doing so responsibly. Employees should use disk encryption and strong identity authentication to ensure that sensitive data stays private.

Convenience on the Payroll Leads to Cyberheist

In another unfortunate security incident, a small family-owned fuel distribution company was robbed of nearly one million dollars out of its payroll fund before being alerted of the charges. The crooks were a highly organized crew out of Eastern Europe who coordinated a sophisticated scheme involving more than 60 “money mules” who unknowingly were laundering the stolen funds.

One of the weak links in this case was the bank who handled the payroll. The bank had a secure system in place which required a form of multi-factor authentication before funds could be transferred. A month before the theft, in an effort to make the process more convenient, the bank changed some of those controls which essentially allowed anyone with a login to make a transfer from any end system. While the bank was not solely responsible, this small change in policy made it much easier for the attackers to gain access.

Banking access, particularly for something as critical as the company payroll, is one area where security should be the primary concern. Having some type of secondary authentication and notification like a call back, text message, or other similar controls before transferring funds can be a critical defense against theft.

Security is a Mindset, Not an Exception

While there are many occurrences of technically and operationally sophisticated attacks going on every day, many data breaches can still be prevented by simply adopting a security mindset.

There are times when convenience trumps complexity and others when dealing with customer data and personally identifiable information requires mindful consideration about how that data is protected.

More from Data Protection

Why safeguarding sensitive data is so crucial

4 min read - A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other.The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction recovery help and mental health treatment in Connecticut, Florida, Texas and other states.The breach, first reported by WIRED, involved PII, such as patient names and addresses,…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

3 proven use cases for AI in preventative cybersecurity

3 min read - IBM’s Cost of a Data Breach Report 2024 highlights a ground-breaking finding: The application of AI-powered automation in prevention has saved organizations an average of $2.2 million.Enterprises have been using AI for years in detection, investigation and response. However, as attack surfaces expand, security leaders must adopt a more proactive stance.Here are three ways how AI is helping to make that possible:1. Attack surface management: Proactive defense with AIIncreased complexity and interconnectedness are a growing headache for security teams, and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today