Imagine you’re leaving for a weeklong vacation. Would you leave your doors unlocked when you left the house? Probably not — this would put your possessions at risk of theft. Just locking your doors could deter potential thieves.
The same logic applies to computer systems. By using a digital door lock, you can prevent hackers from gaining access. Like burglars, most hackers want to break in to steal something of value — information. The effort to protect that information is called Information Security.
However, a locked door is not always enough to stop a potential burglar. Additional security measures, like an alarm system, may be necessary. Similarly, information is secured by a variety of methods, including state and federal laws, industry standards, company policies, and best practices. The task of ensuring that these methods are being implemented and followed, which can help prevent hacks, is known as “compliance and assurance.”
Below are two case studies of recent data breaches and an analysis of how they could have been prevented through better compliance.
Hack #1: Major Retailer
A major retailer was attacked, resulting in the theft of more than 40 million customers’ information, including credit card numbers.
- How It Happened — The hackers gained access to the system by stealing the username and password of a third-party vendor, and used a variety of techniques to elevate their access to checkout terminals. They then developed malicious software (malware) that gave them access to customers’ credit card information.
- Why It Happened — Despite the valuable information that a third-party vendor might gain from it, giving them access to a company’s internal network creates another entry point for hackers. In this situation, the risk was even higher because the vendor was allowed to log in to the system from outside the physical location of the company’s servers.
- What to Learn — If the retailer had simply prevented remote access, the breach might have never happened. By implementing access policies for both vendors and employees, among other measures, the company could prevent future breaches.
Hack #2: Government Agency
A government agency that collected the information of civil service employees was the target of another damaging data breach. More than 20 million people were affected by the hack, and the information stolen included Social Security numbers, addresses, health information, and fingerprints.
- How It Happened — Due to the sensitivity of the information system’s security standards, the specific method the hackers used has not been released.
- Why It Happened — The agency’s security practices had been inadequate for years. Although efforts to improve security were in progress, in the end it was too little, too late. The breach went on for nearly a year before it was discovered. Some of the possible causes include:
- The agency did not maintain an inventory of network devices, servers, databases, etc.
- It did not verify the identity of users accessing systems remotely, exposing the system to unknown, unauthorized users from all over the world.
- The agency could not supply evidence that it regularly monitored potential system vulnerabilities.
- What to Learn — The solutions to these security weaknesses have been implemented in other government agencies, including maintaining an accurate network diagram and hardware inventory and preventing unknown users from accessing the system. If the agency had followed industry standards for these issues, the breach might have been prevented.
Of course, it’s easy to look back and say what should’ve been done to prevent these breaches. However, these organizations could have easily, and relatively inexpensively, prevented them.
Protecting Your Information
Although it’s an incredibly important component of protecting information, simply following laws, regulations, and standards doesn’t guarantee protection from a breach. Constant vigilance and evaluation are required to protect information to the greatest extent possible — this is the essence of compliance and assurance.
Check back for more posts from the MassIT Enterprise Security Office during Cyber Security Awareness Month.
Defending Against Ransomware posted on Oct 18
According to the United States Computer Emergency Readiness Team (US-CERT), ransomware is the fastest growing malware threat, with more than 4,000 attacks occurring each day. This type of malware blocks a user from accessing data until the operator of the malicious program receives payment. For …Continue Reading Defending Against Ransomware
Where’s My Data? 10 Simple Tips for Securing Your Business’s Data posted on Oct 11
As a business owner, you can protect your employees, business, and customers from hackers. MassIT shares 10 tips to help IT departments at companies big and small create a security plan to keep their data safe. Identify Sensitive Data — Know where sensitive personal information, including …Continue Reading Where’s My Data? 10 Simple Tips for Securing Your Business’s Data
Understanding Malware — What It Is and Types to Know posted on Oct 6
The term malware is everywhere these days, but what exactly is it? Malware is short for malicious software. It can be used to manipulate your computer and steal your information. There are several types of malicious software, which can be broken down into broad categories, …Continue Reading Understanding Malware — What It Is and Types to Know