Computer hackers by and large focus on the weakest link of an organization’s security system. Whether it’s an unprotected server, a newly discovered system vulnerability, or an unsuspecting employee’s computer that is connected to the corporate network, cyber criminals are experts at sniffing out the weakest link.
On the surface, this week’s breach of 90,000 military e-mails and password hashes may look the same. After all, the hackers claiming responsibility for the break-in did so through an unsecured server in a network that basically had no security measures in place. What’s different about this attack, however, is the exploited server was not the military’s. The server belonged to government contractor, Booz Allen Hamilton. In other words, this criminal strategy went beyond the walls of an organization’s own network defenses.
In the case of the Epsilon security breach, where millions of customer email addresses were compromised, hackers targeted a single entity to steal private data on many of the marketing giant’s big-name customers like Chase, Citi and Target. The Booz Allen hack reverses that scenario. Instead of going after one to get to many, cyber criminals targeted multiple entities to get to one. Continue reading this post…
For some time now, we’ve been hearing about how users often fail to install security updates for known vulnerabilities months, or even years, after a fix is available. As an IT security professional, this blows my mind because such practices create security holes that leave computers, and now corporate networks, susceptible to targeted cyber attacks. However, I am a realist: most users do not really think or care about security until something happens to them directly.
In the article, “Malware Authors Relying on Poor User Updating Practices,” cyber criminals understand this, and are taking advantage of users’ negligence around installing the latest security updates on their PCs. According to Ralf Benzmüller, head of G Data SecurityLabs, cyber crooks are not just targeting current security gaps, they also have their eye on unclosed vulnerabilities that for one reason or another have been disregarded by users. Continue reading this post…
Cloud computing has certainly taken its share of hits lately. Last month’s Amazon outage created a lot of chatter and analysis around the reliability and availability of cloud-based services. Despite what pretty much amounts to growing pains for cloud computing, most everyone agrees that businesses will continue pursuing cloud services for the many cost and competitive advantages that the cloud promises.
The one thing that these types of events bring to light is the importance of security with cloud providers. According to the recent article, “Symantec executives caution customers on cloud provider security,” as more and more businesses turn to cloud services, they need to hold their providers to the same security standards that they adhere to because they can still be liable if their data is breached.
Whether an organization’s business assets are on-premise or reside in the cloud, securing critical data needs to be the No. 1 priority. Continue reading this post…
Is it me, or does it seem like many of today’s security breaches are (eventually) the result of organizations not taking the necessary precautions to protect their data from cyber fraud? With the attacks on the Sony PlayStation Network and marketing giant, Epsilon, April saw its share of high-profiled data breaches. But many of the intelligence reports that follow such incidents seem to indicate that had the organization taken proactive security measures to protect their enterprises, they may have mitigated risks that allowed their data to be compromised. All this leads to one important question: Are we doing enough to protect our networks? Here were some of the top security stories from April 2011: Continue reading this post…
The recent Epsilon security breach that resulted in millions of customer email addresses being compromised, brings to light something I’ve said before, but can’t emphasize enough: You can’t control everything your end-users are doing. What you can control is what they are causing.
While companies can educate and train end-users to be more mindful of dangerous phishing and social engineering attacks, the truth of the matter is people are people, and they are going to make mistakes. According to the InfoWorld article, “Report: End-user ignorance at Epsilon let hackers steal customer data,” in this particular case, a mistake made by one end-user in an email-based phishing attack effected many others simply because the user was connected to a larger network that stored millions of customer email addresses of big-name companies including Chase, Citi, Walgreens, Target, Disney Vacations, Fry’s and Eddie Bauer, to name a few. Continue reading this post…