More tales of security fails

Last week I talked to security experts who told horror stories of unencrypted emails and blind acceptance of security audit reports. This week they'll tell you about "weak link" employees and companies with an overly inflated sense of their blocking skills.

information security

Another day, another data breach. Now it is Kreditech's turn in the spotlight, an unfortunate development for a startup that specializes in lending to "unbanked" consumers.

The Hamburg, Germany-based company is the subject of a post by Krebs On Security, a blog by security researcher Brian Krebs. He has discovered a number of security fails at major corporations (including last year's mammoth breach at Home Depot, so Kreditech is in good, albeit dubious, company).

According to Krebs' blog post, Kreditech is investigating a breach that came to light after hackers posted thousands of applicants' personal and financial records online. Anna Friedrich, head of communications at the company, suggested that the data was leaked by an insider, possibly aided by faulty web design, according to the post and to a story in Finextra.

Security experts may not be familiar with the particulars of this incident, but the general storyline is one so familiar that they could have written it themselves.

This data breach, though, is only part of the tale. Security fails happen in many different and surprising ways.

Last week I talked to security experts who told horror stories of unencrypted emails and blind acceptance of security audit reports. This week they will regale you with tales about "weak link" employees and companies with an overly inflated sense of their blocking skills. And yes, insider threats.

Security fail: IT is not realistic about its vulnerabilities.

The solution. Get over the hubris. Organizations have deluded themselves into believing that full prevention is possible and have become overly reliant on blocking-based mechanisms for protection, according to Sandeep Kumar, marketing manager at ForeScout Technologies.

"This has led to painfully slow identification of breaches when they occur -- and they will occur," he says.

IT shops also tend to under-invest in automated response and risk mitigation capabilities, Kumar says. This is bad because "a single infected or compromised endpoint connected to the enterprise network can cause internal malware propagation and a full-scale outbreak unless enterprises have automated response and risk mitigation controls in place."

Another problem Kumar identifies: Companies tend to overlook less likely infection pathways such as malware propagated through USB drives, or devices that may have become infected on public networks prior to connecting to the enterprise network. "Malware propagation via these unmonitored infection pathways is on the rise due to increasing enterprise mobility," he says.

Security fail: Focusing too much on external risks.

The solution: Consider the depressing fact that insider actions can also lead to security issues.

This is not necessarily about deliberate sabotage or insider theft, says Sookasa CEO Asaf Cidon. Lost or stolen devices or accidental data loss can also have serious consequences.

"Similarly, many enterprises don't think about what happens to company data on employee-owned devices," he says. "Employees are taking work home on mobile devices more and more frequently, and these devices, in turn, are frequently lost or stolen."

These more "mundane" threats, Cidon believes, are far more common than cyberattacks.

Security fail: Believing in "safe" websites.

The solution: Warn your employees about this security issue.

"Even the most trusted sites can be compromised and used to serve malware," says Rick Kagan, vice president of marketing at Menlo Security. "In fact, such sites are now targeted by attackers because they deliver a valuable visitor base."

Security fail: Believing if you warn your employees about a security issue they will follow your directive.

"Despite all of the news about email risks and enterprise training programs designed to prevent bad practices, many organizations report that between 30 to 70 percent of their employees still click links in test emails designed to see if users can recognize and avoid phishing attacks," Kagan says.

The solution: Come to grips with the knowledge that your employees are a very weak link. Act accordingly.

"The simplest way to inject malware into the environment is still via the end user, be it email with malicious files or links or through infected removable media," says Todd Waskelis, vice president of security consulting services at AT&T Consulting Solutions.

Security fail: Thinking of security as an IT problem.

The solution: Share the problem if only to get buy-in and financial resources from the board of directors and upper management, says Michael Flickman, chief technology officer of Diligent Board Member Services.

"Board members should have ample opportunity to ask questions as needed and senior executives should be prepared to brief the board on the organization's cybersecurity management strategy," he says. "They can help protect against data breaches by making sure that management has implemented ongoing internal awareness programs and best practices, and has agreed on who is responsible for managing cybersecurity issues."

These suggestions just address the low-hanging fruit. Some experts, such as Dean Gonsowski, Recommind’s global head of information governance, can get really wonky on the subject. His advice: Delete all unneeded email on a regular basis. "Many companies keep everything, on the theory that big data will turn yesterday's trash into tomorrow's treasure." That's not true, he says -- trash today will probably be trash tomorrow. "As Sony discovered, the risks of keeping everything are much more certain than the benefits."

And now Kreditech is learning a variation on that lesson. So don't be next.

Copyright © 2015 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon