Typically a breach can be tracked down to one of three root causes; a lack of adequate security training for employees, poorly written or unpatched software or lack of third party access controls. The majority of breaches are due to poor employee security training. A single user can circumvent the best security solutions that an organization can afford.
1. Employee Security Awareness Training
Employees using weak passwords, password reuse, opening unsafe emails, surfing to inappropriate sites and sharing too much information publicly can all lead to a problem for an organization. Most people think that social engineering occurs via emails using phishing campaigns. There are many aspects to social engineering and I am going to focus on only two of them, harvesting personal information that is publically available and one on one personal encounters.
If a bad guy wants to target your organization, they can use LinkedIn and other social media sites to determine the typical employee skill sets. With this information, they can determine the types of systems used by the organization. They can also use it to target employees directly that can provide more detailed information on the organization. They accomplish this by searching social media profiles to determine what interests and other organizations a targeted employee may be involved in and then they devise a plan for the chance meeting. Next, they build a relationship and over casual conversation, are able to harvest useful information that can be used to exploit vulnerabilities in the organization’s systems. The bad guys are great con artists, be aware of those casual encounters.
2. Poorly Written and Unpatched Software
This has been a topic in previous newsletters, but some of the latest breaches and issues bring this to the forefront again. The latest big exploit targets Apple, Linux and Unix operating systems. Shellshock is the latest vulnerability in Bash (born again shell). The flaw allows an attacker to remotely attach a malicious executable to a variable that is executed when Bash is invoked.
Organizations sometimes find they are stuck using older, unsupported applications because of some business dependency even through the original vendor may no longer exist. This is a risk that needs to be carefully evaluated. Organizations need to understand the risks involved with their decisions and take appropriate measures to protect older or unpatched systems. A potential mitigating strategy could be to place a firewall between the network and the older system and only let permitted traffic through the firewall to access the vulnerable system.
3. Third-Party Vendors
Third party vendor breaches are due to poor controls. Dairy Queen, Lowes, Jimmy John’s, Goodwill Industries International and Target are all examples of third party vendor vector breaches. In the Target example, hackers were able to get access to Target’s IT systems by first getting access to Target’s mechanical systems (heating, ventilation and cooling systems, HVAC) which were managed by a third party vendor.
Depending on the industry your organization operates in, vendor management may be mandated by regulatory or statutory requirements. Even if your industry does not mandate any requirements, it is still important that you review your vendor’s internal controls.
If you use any cloud solution provider for services such as hosted email, spam filtering, remote backup solutions and collaboration tools, you should review these partner’s security controls and their financial stability.
