This content is part of the Essential Guide: Understanding and responding to POS malware
News Stay informed about the latest enterprise technology news and product updates.

Breaches show information security fundamentals prove hard to learn

News roundup: Heartbleed vulnerabilities, point-of-sale malware and phishing scams are nothing new, yet numerous companies continue to fall victim to them. Shouldn't the lesson be learned by now? Plus: HTTP Shaming, Dropbox improvements and more.

It seems like a week can't go by without hearing news of another data breach. Amid Heartbleed vulnerabilities,...

point-of-sale malware and phishing scams, one would think that enterprises would learn from others' mistakes by refocusing on information security fundamentals.

Yet, unfortunately, some security lessons just aren't being learned.

A breach revealed this week at Community Health Systems Inc. exposed the sensitive data of 4.5 million patients. It was later reported that the OpenSSL vulnerability Heartbleed was to blame; reports suggest the exploit occurred on a Juniper Networks Inc. VPN product that was not properly updated after news of the coding vulnerability broke in April of this year. While speculation persists, some suggest that had CMS implemented Juniper's patch, the breach may have been prevented or at least mitigated.

But it's not only Heartbleed causing problems. Last week two major supermarket chains -- SuperValu Inc. and AB Acquisition LLC -- separately revealed that customer credit card information may have been stolen during a network intrusion. Then yesterday UPS confirmed that it was hacked earlier this year as an effect of point-of-sale (POS) malware. If POS malware sounds familiar, it should. It was the Kaptoxa POS malware that was at the heart of last year's Target breach, which affected up to 70 million customers.

Several other companies -- including Neiman Marcus, PF Chang's China Bistro and Michaels Stores Inc. -- have also fallen victim to similar breaches.

In most, if not all,  of these instances, the breaches could have been avoided or at the very least had the effects lessened had companies heeded warnings and taken a closer look at potential vulnerabilities in their own systems when the initial breaches occurred.

After the Target breach, US-CERT in conjunction with the U.S. Department of Homeland Security released a report outlining not only the steps hackers were taking to infiltrate systems, but also how enterprises could mitigate and prevent such attacks. Numerous articles have also been published to help organizations defend against POS vulnerabilities, and, truth be told, protection strategies haven't changed much in the past decade. Strong passwords, firewalls and antimalware are critical to security success, as are using patched and updated systems, restricting access and not closely governing remote access.

In the case of Heartbleed, as soon as the OpenSSL vulnerability was found, the website began publicizing the issue and offered information to help businesses and individuals recover and prevent issues. Sadly, many organizations did not follow the advice; if they did, it did not happen quickly enough.

And let's not forget phishing -- how many times have these scams created issues for companies? A report from NextGov states that employees at the United States Nuclear Regulatory Commission were the most recent phishing victims, tricked into divulging their login details in a series of phishing emails, which subsequently led to three different intrusions over the past three years. Mitigating phishing and other social engineering scams don't even require software upgrades or expensive investments -- merely security awareness training and employee compliance, yet organizations fall prey to this tactic again and again.

Security managers and organizations would do well to take a minute to stop and read the lessons that recent history is teaching them -- these lessons may hold the key to preventing the same issues from happening within their own enterprises.  

In other news:

  • A new website aptly named HTTP Shaming publicly humiliates websites and applications using unencrypted communications (HTTP) that potentially put sensitive user data at risk. Site creator Tony Webster said the aim of the project is to get sites and apps using HTTP to migrate to the more secure HTTPS. So far, AT&T, the Parliament of Australia, KeePass and Adobe Systems Inc. are among the organizations that have been called out.

    The website HTTP Shaming illustrates how Adobe Flash Player downloads software updates over unsecured HTTP.The website HTTP Shaming illustrates how Adobe Flash Player downloads software updates over unsecured HTTP.
  • The popular file-sharing service Dropbox announced on Tuesday that it was adding three new features to its Dropbox for Business program: View only permissions for shared folders, passwords for shared links and expirations for shared links. The changes come months after mainstream media revealed Dropbox could potentially leak private data.
  • A group of security researchers from Georgia Tech made a presentation on Mimesis Aegis at the USENIX Security Symposium in San Diego this week. The Latin name roughly translates to "imitation shield." It is a new approach to user data privacy that creates a "transparent window" on top of applications, preventing unencrypted data from leaving the device. Currently, MAegis works on Android devices and supports cloud services including Gmail, Facebook Messenger and WhatsApp.
  • ISACA and the Institute of Internal Auditors (IIA) have released a report urging members of corporate boards of directors to actively take part in enterprise cybersecurity. The report "provides the practical guidance that board members need to become active partners in battling cybercime," IIA President and CEO Richard Chambers stated in a press release. The report details strategies and advice to help board members establish enterprise risk management strategies, communicate effectively with management teams, stay on top of cybersecurity situations and more. The report comes as security experts say that a lack of security education, not awareness, is holding board members back from taking more active roles in information security programs.

Next Steps

Learn more about life after Heartbleed

Gain insight into the preventable RAM-scraping attacks

Need phishing defense lessons? Start here

HTTP vs. HTTPS: Calculating the tradeoff

Do enterprise-grade features make Dropbox enterprise safe?

Dig Deeper on Data security breaches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Why haven't companies learned their data breach/security lessons? What more will it take?
Maybe they need to get hit in the wallet? It's become clear that companies won't learn until it happens to them (and even then, many don't fix their issues). A financial incentive could be what makes the difference. 
I agree with Ben, It seems to me that companies are only taking action when the breach happens to them. Hopefully they realize that's not the right course of action.
Whilst IT managers and CIOs are still providing the expertise, security can no longer be their responsibility alone. When the security of systems and data are fundamental to the business, they become fundamental to all those in senior management. Perhaps the Target episode will act as a milestone in regards to how organisations should be viewing data security as a business priority. It sends a message to other top level executives; Do you know how secure your business’ systems and data are? How educated are your employees on security issues? How educated are you?
Great question!

I think Winston Churchill said it best: “Want of foresight,
unwillingness to act when action would be simple and effective, lack of
clear thinking, confusion of counsel until the emergency comes…these are
the features which constitute the endless repetition of history.”

This is such a complex study in human behavior. Just look at the research that comes out each year from Verizon, Trustwave, etc. They each underscore the same fundamental problem - it’s related to the definition of insanity that we’re all familiar with. We keep doing the things that don’t work and expect things to change.

I think much of it has to do with the assumption that IT is "taking care
of things" and that "we're compliant therefore we're secure". The reality is if we keep going down this path doing the things we’ve been doing, we’re going to keep getting the results we’ve been getting…No big complaints from me though...Sure, it can be frustrating as a consumer, but it's certainly great job security for all of us involved in the fields of IT and information security!
Yes, inertia is a powerful force. It takes a lot more work to change processes and priorities than some companies - especially those with stretched resources - are willing to do.