Article posted: Jan 09, 2018
By Joakim Thorén, CEO
It's a new year and corporations - and their shareholders -- are hoping for fewer corporate data breaches. They want to forget about 2017, which saw record breaches, many preventable. In this blog, we identify four security lessons learned from 2017's high-profile security breaches every IT manager should consider, to prevent similar breaches in 2018:
1.) Apply Security Patches: More than 143 million sensitive records were exposed in the famous Equifax breach. As a result, both Equifax's CEO and CTO "retired" prematurely. Equifax blamed open-source software for its debilitating security breach. Some industry experts argued that Equifax shouldn't have relied upon open source software to protect American's names, social security numbers, birthdates and home addresses. Others believe that if Equifax had applied the recommended security patches, the breach wouldn't have occurred.
The fact is that a new and formidable Struts security problem was uncovered on September 5, and Apache sent a patch immediately. That seemingly should have taken care of the issue as zero-day exploits aren't that common. The problem with this logic is that the Equifax breach occurred in the July-August timeframe making it more likely another Apache security patch issued in March was never installed. This is truly unacceptable. According to security expert SwiftOnSecurity, "Pretty much 99.99 percent of computer security incidents are oversights of solved problems."
When open source software creators provide security updates, it's up to the user company to install it and ensure there are no complications or breaches. It's that simple.
Analyst firm Voke Media surveyed 318 firms as part of its security-automation survey and uncovered that "approximately 80 percent of companies that had either a breach or a failed audit could have prevented the issue with a software patch or a configuration change." Even more troubling was that 46 percent of companies waited 10 days to remediate vulnerabilities and apply patches. Those patches or configuration-change backlogs are crucial to preventing data breaches. But in reality, companies like Equifax often do not quickly act to fix routine software security bugs.
2.) Carefully monitor third-party contractor access to sensitive data: A third-party contractor was responsible for another famous 2017 breach - this one at Anthem. In this case, the contractor was charged with emailing a document containing more than 18,500 Anthem members' information to his personal email address. This information included Medicare ID numbers containing social security numbers, Health Plan ID numbers, as well as Medicare contract numbers and enrollment dates. What may be surprising is that the breach is Anthem's second in as many years. The company already has agreed to pay $115 million to settle a class-action lawsuit for its 2015 data breach, resulting in the personal information theft of 80 million members and employees. But one nagging question remains: Why the employee was able to email these sensitive documents to his email?
3.) Make sure all security protocols are known, performed daily and enforced by IT: Deep Root Analytics, a company contracted by the Republican National Committee (RNC) to collect voter data information and insights, stored details of about 61 percent of the US population on an Amazon cloud server without even basic password protection -- for two weeks. Multiple parties accessed and stole the data. The leak was discovered by Chris Vickery at UpGuard and reflects a frightening trend of leaving sensitive data unprotected. As with most breaches, this one began because an employee did not follow a security protocol. Unfortunately, this common mistake is easy to make but difficult to track, especially for businesses that employ third-party contractors to conduct work for them.
4.) Weak passwords should be eliminated from organization's security toolbox: In another high-profile breach, it appears hackers took down the British Parliament's email system by identifying and accessing accounts with weak passwords. The Telegraph reported nearly 9,000 emails on Parliament's server were attacked and brought down for nearly 12 hours on Friday, June 23. Many members of Parliament took to Twitter to inform constituents that their emails and any constituent email correspondence may have been breached. There's a lesson here. The British government must rethink its password protection strategy and adopt better ways to access sensitive data. It's likely that a strong password would not deter a hacker from accessing a system. In actuality, password strength is essentially irrelevant; passwords must withstand an automated dictionary attack long enough for the attack to be detected, something that's not usually possible. Even unsophisticated hackers can accomplish dictionary attacks.
These four high-profile preventable breaches are lessons all IT departments should learn to protect their organization. . In addition to applying security patches, monitoring third-party contractor access, enforcing security protocols and eliminating passwords for data protection, two-factor identification can greatly aid in boosting security. To learn more about how Versasec can help your organization manage two-factor identification solutions, visit https://versasec.com/vsec-cms.php.