SC Magazine – sponsors of the popular SC Congress series of conferences – released it list of the Top 8 Security Breaches of 2013 recently, and the dispiriting thing is, the themes are sounding awfully familiar. Apparently, some shops have learned nothing from previous fiascos – hands up, anybody who remembers Heartland and TJX – and continue to ignore best practices we’ve known about for years.
What lessons have we forgotten?
* No excuse for no encryption. Probably the largest volume of data breach information comes from low-tech (or even no-tech) hacking, not high-tech hacking. More than 700,000 patients at AHMC Hospitals in California has personal details exposed when thieves broke in and stole two laptop computers. At least no episodes of lost USB keys made the list this year, though it still happens all the time: contactor Computer Sciences Corp. lost one in transit, compromising the information of Medicaid providers across the U.S; the police force in Manchester, U.K. was fined the equivalent of about $200,000 for losing an unencrypted USB key with sensitive data from a drug squad investigation; health-care provider Kaiser Permanente lost a USB key with personal details of 50,000 patients after a privacy breach at an Anaheim, Calif., facility. We’ve had more than our share in the last few years in Canada. Whether it’s on a laptop, USB key or server, there’s no excuse for data at rest to remain unemcrypted.
* Monocultures are lethal. Microsoft Corp. products actually seem to be performing better on the security side than the days when the Office-Outlook-Exchange monoculture was dominant, but any time you have a product that dominates a market space, you’re more exposed. Adobe Acrobat has now become the poster child for ubiquitous applications subject to attack; the company admitted in October that a breach thought to have affected 2.9 million users actually affected 38 million. It’s the only PDF reader anybody who’s anybody uses, so vulnerabilities in the code can affect a huge footprint of users.
* Big money=Big target. Hacktivist collective Anonymous targeted the personal banking information of 4,000 banking executives, breaching the U.S. Federal Reserve Bank’s system through a vulnerability in a vendor product. While they weren’t out to thieve more than information, most hacking activity is motivated by money, and the more there is, the more likely you’ll be targeted by hackers.
* Social insecurity. People share too much on social networks; that’s kind of the point of them in the first place. But that information can be exposed, as it was when hackers compromised hashed and salted passwords for 50 million users of the hot-deals Website Living Social. Fortunately, according to the company, no financial information was exposed.
You can view the SC Magazine slide show here.