October 24, 2013 By Jason Kravitz 4 min read

In an effort to get things done, we often kick healthy security hygiene to the curb in exchange for expediency and convenience. We convince ourselves that we’ll make this one exception and over time, that becomes the default mode of operation.

There are a lot of excuses…

  • I don’t have anything important on my computer
  • I don’t use my email for anything serious
  • It’s a pain to type a password on my phone
  • This is just a temporary marketing survey that will only be online one week
  • There isn’t any proprietary information on that area of the website
  • I only reuse that password on sites I don’t care about

Yet more often than not, those temporary pages, non-critical PC’s and unlocked phones transcend their original purpose and evolve into something more business critical. Not surprisingly, these become the weak link that results in data breaches, identity theft, and financial loss.

In the X-Force 2013 Mid-Year Trend and Risk Report, we have reported on many high profile data breaches, industries affected, and trends regarding attack methods. One constant that we can take away year after year is that many of these breaches could have been avoided by applying a security mindset over one of convenience.

The following are some stories from the trenches. We’ll look at the events behind several breaches and how they could have been avoided.

Major Problems with Micro-sites

Corporate websites are often setup and secured with great care, however the demand for new functions or quick temporary pages, often bypass those controls to get something online.

When the marketing department wants to run a promotional contest and needs a web form to gather names and other personal information, the easiest solution is to often use an existing Content Management System (CMS) or web form system. While CMS vendors have been doing a good job at patching vulnerabilities in their products, there is a vast eco-system of plug-ins and other potentially vulnerable products floating around which are lucrative targets for attackers looking for low hanging fruit.

Recently, a marketing department at the Asian branch of a major US entertainment company was exposed by this exact scenario. A contest site was setup, and given the expanse of the brand, a half a million people entered their personal information with the hopes of winning. After the contest ended, the database of users was never removed and the page remained online. Using a SQL Injection vulnerability, attackers were able to dump all the private user data to a public site.

These types of micro-sites serve a purpose, but should be audited using the same security conventions as the main site. It’s also a good idea to remove public facing databases with customer information once they have exceeded their purpose.

Private Data on Display

Not every data breach is a result of malicious attacker’s hell bent on crime and chaos. In some cases data loss is the result of misconfigurations and human error.

Spreadsheets and data files which contain sensitive information all too commonly find their way onto public facing websites and are then unknowingly indexed by search engines. Such was the case with two different US based universities.

In one, improper security settings during a server migration led to 47,000 records being publicly indexed and viewable for nearly two weeks. At another university, personal information such as Social Security Number, date of birth and contact info was publicly available over a period of 3+ years due to a similar type of file misconfiguration.

In these cases, technology such as Data Loss Prevention (DLP) could be effective in auditing and minimizing this type of risk. More importantly, it is the responsibility of anyone handling sensitive data to ensure that they are doing so responsibly. Employees should use disk encryption and strong identity authentication to ensure that sensitive data stays private.

Convenience on the Payroll Leads to Cyberheist

In another unfortunate security incident, a small family-owned fuel distribution company was robbed of nearly one million dollars out of its payroll fund before being alerted of the charges. The crooks were a highly organized crew out of Eastern Europe who coordinated a sophisticated scheme involving more than 60 “money mules” who unknowingly were laundering the stolen funds.

One of the weak links in this case was the bank who handled the payroll. The bank had a secure system in place which required a form of multi-factor authentication before funds could be transferred. A month before the theft, in an effort to make the process more convenient, the bank changed some of those controls which essentially allowed anyone with a login to make a transfer from any end system. While the bank was not solely responsible, this small change in policy made it much easier for the attackers to gain access.

Banking access, particularly for something as critical as the company payroll, is one area where security should be the primary concern. Having some type of secondary authentication and notification like a call back, text message, or other similar controls before transferring funds can be a critical defense against theft.

Security is a Mindset, Not an Exception

While there are many occurrences of technically and operationally sophisticated attacks going on every day, many data breaches can still be prevented by simply adopting a security mindset.

There are times when convenience trumps complexity and others when dealing with customer data and personally identifiable information requires mindful consideration about how that data is protected.

More from Data Protection

Data residency: What is it and why it is important?

3 min read - Data residency is a hot topic, especially for cloud data. The reason is multi-faceted, but the focus has been driven by the General Data Protection Regulation (GDPR), which governs information privacy in the European Union and the European Economic Area.The GDPR defines the requirement that users’ personal data and privacy be adequately protected by organizations that gather, process and store that data. After the GDPR rolled out, other countries such as Australia, Brazil, Canada, Japan, South Africa and the UAE…

Third-party breaches hit 90% of top global energy companies

3 min read - A new report from SecurityScorecard reveals a startling trend among the world’s top energy companies, with 90% suffering from data breaches through third parties over the last year. This statistic is particularly concerning given the crucial function these companies serve in everyday life.Their increased dependence on digital systems facilitates the increase in attacks on infrastructure networks. This sheds light on the need for these energy companies to adopt a proactive approach to securing their networks and customer information.2023 industry recap:…

Data security posture management vs cloud security posture management

4 min read - “A data breach has just occurred”, is a phrase no security professional wants to hear. From the CISO on down to the SOC analysts, a data breach is the definition of a very bad day. It can cause serious brand damage and financial loss for enterprises, lead to abrupt career changes among security professionals, and instill fear of financial or privacy loss for businesses and consumers.According to an ESG report, 55% of data and workloads currently run or operate in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today