[BreachExchange] Cyber Security Attacks Which Could Have Been Prevented

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jun 22 19:51:45 EDT 2016


http://www.tmcnet.com/sectors/security/articles/422388-cyber-security-attacks-which-could-have-been-prevented.htm

In recent years, there have been a number of cyber security attacks carried
out on reputable organisations.  Each time, millions of customers’ personal
details ended up in the wrong hands. These attacks were successfully
carried out as result of careless data handling by the data controllers
themselves.



Cyber Attacks on Reputable Organisations

We can all recall the eBay cyber-attack in March of 2014 where hackers
managed to steal a small group of employee logins. This gave them access to
eBay’s (News - Alert) corporate network along with 145 million customers’
personal information. Hackers were able to access details such as the
names, dates of birth, home addresses, phone numbers, email addresses and
encrypted passwords.

TalkTalk is another reputable organisation that was recently affected by a
Distributed Denial of service (DDoS) attack. An attack which involved
hackers disabling a number of TalkTalk’s networks as a distraction tactic
whilst they managed to steal thousands of customers details including bank
account numbers and sort codes.

Protecting Important Organisational Data

With such a massive scale of data breaches occurring from time to time we
need to take a look at the various ways we can work to protect
organisational data.

Some of the ways employers can protect organisational data:

- Setting simple access right controls to limit read access across
important network drives
- Setting a 2 step verification process for logging into organisational
networks
- Implementing physical security controls such as CCTV & DDS security
cameras on company premises
- Managing passwords (i.e. set systems to only allow strong passwords with
a combination of special characters & numbers)
- Managing the destruction of sensitive company documents (i.e. using a
shredder to destroy documents)

PCI Data Encryption

In 2004, American express, JCB international, Discover Financial Services,
Visa Inc. andMasterCard (News - Alert) Worldwide formed the Payment Card
Industry Security StandardsCouncil. This group worked together to
incorporate technical requirements for each of their data security and
compliance programs. Some of these requirements include implementing strong
access control measures, regularly monitoring and testing networks.

TalkTalk admitted that they did not encrypt consumer data such as credit
card details and telephone numbers.  When interviewed about this TalkTalk’s
CEO Dido Harding said; ‘it was not encrypted, nor are you legally required
to encrypt it’.

Whilst this statement is true, more could have been done to avoid this
attack.  They should have tested their systems regularly and monitored it
more closely.  At least some of the financial data for their customers
should have also been encrypted. This would have minimised the effect of
such a security breach. As a direct lender who handles personal customer
data, we are required by law to encrypt some of the data we handle.  We
follow the Payments Card Industry Security Standards and regularly test our
networks to ensure we meet all compliance regulations.

Limiting our Social Media Transparency

Nowadays, we are so transparent on social media and even list our
employment information for all to see.  All too often, hackers impersonate
work colleagues once they have access to such information displayed on
social media profiles.

We need to ask ourselves the following questions:

- Is it really necessary to list all your projects, job title and the
company you work for on yourFacebook (News - Alert) profile?
- Can your full date of birth be found on social media?  It could be worth
just showing DD/MM (date/month) information here.
- Is your Facebook profile set to public? It could be worth setting your
Facebook profile to private.

It’s really worth thinking about the kind of information we put out there
for everyone to see.

Conclusion

It is fair to say that not all security systems are perfect and attacks of
this nature do happen to even the most careful.

Each of these cyberattacks have taught us a valuable lesson that consumer
data in whatever form needs to be protected in a way that will reduce the
chances of a security breach.

Cyber criminals are developing increasingly sophisticated tactics to
infiltrate corporate networks.   Organisations need to apply encryption to
sensitive data and stop these data leaks before they can start.

Let’s work tirelessly to build effective and secure systems so that these
cyber-attacks can one day be a thing of the past.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160622/527fd227/attachment.html>


More information about the BreachExchange mailing list