Seven “Sins” of Cyber Security

Tuesday, May 07, 2013

Rick Comeau


While some of the cyber attacks making news lately are the result of sophisticated methods, many are not: they often take advantage of a lack of basic security protections. The 2013 Verizon Data Breach report notes that of the intrusions analyzed, 78% of the initial intrusions were rated as low difficulty. Let’s take a look at seven “sins” that organizations and users are committing that are leaving them vulnerable.

Mis-configured systems and unpatched systems/apps 

Many devices and systems technologies are configured to default settings “out-of-the-box,” which are often geared toward ease of use and deployment rather than security.  This results in vulnerabilities that are easy targets for hackers to exploit.  Similarly, if systems and applications aren’t being patched on a regular basis, they are vulnerable. Proper security-focused configuration controls and patching are critical, and should be a key layer in any organization’s defense-in-depth strategy.

Weak passwords

It’s hard to believe, but people are still using passwords such as “123456” or “password.” In addition to using weak passwords, another bad behavior being committed is password recycling – using the same password for multiple online accounts. Once the hacker gets the password, he can get access to all those other accounts too. Organizations must have policies and procedures that implement strong passwords and force a password change at regular intervals. Using a utility to store passwords may also help. Look for programs that use powerful encryption algorithms, keylogger and phishing protection, and lock-out features.

Untrained employees

Many attackers target users directly to gain access to an organization. Phishing attacks are still one of the most common methods – hackers keep using this technique because it works!  All users need training, minimally on an annual basis, to recognize and defend against the latest threats, including phishing and other social engineering scams. Of course, there is still no guarantee that a user won’t fall prey to a scam, and in that case, making sure that the organization’s systems and devices are as protected as possible (properly configured and patched), organizations can help minimize the vulnerabilities that an attacker could exploit.

Cloud Confusion

Organizations are moving more of their IT infrastructure into the cloud, but many do not really know what security protections are in place—nearly two-thirds of companies surveyedsaid they didn’t know how the cloud service provider was protecting sensitive data.It’s important to ask the questions:  What measures are in place to protect data? Who has access to the physical machine hosting your data? Where is that machine located?It’s also important to understand that placement of data in the cloud does not eliminate an organization's need to meet legal and regulatory requirements such as PCI or HIPAA.

Mobile Device Mayhem

The perimeter has dissolved, and security protections are dependent on each user with a mobile device, as every new smart phone, tablet or other mobile device provides another opportunity for a potential cyber attack. More than 44% of organizations surveyed recentlyallow BYOD and another 18% plan to by the end of 2013. This increases the cyber security risks—such as unauthorized access and malware infections— for an organization, particularly if it does not have control over the employee's personal mobile device. Organizations need to develop and enforce strong policies regarding use, and implement controls to protect the devices and data, including installing and maintaining security software and enabling passwords and device time outs.

Social Media Mania

The recent hack into the Twitter account at the Associated Press, which caused an immediate impact on the stock market, once again highlights the power—and vulnerability—of social media. The sheer volume of users and the information that gets posted on social media sites create plenty of opportunity for an attacker to use social engineering to gain access to individual accounts and organizations.  The sites are also key vectors for malware. Organizations must have strong policies regarding who and what gets posted on official organization sites, and also ensure the proper security controls are in place to protect the infrastructure.

Incomplete Inventory and Access Controls

How can you protect what you don't know you have? Many organizations are still not adequately inventorying their assets, conducting risk assessments to prioritize the criticality of those assets, or implementing proper access controls.  Ensure that data is classified with appropriate security controls. Know what data you maintain, who has access to it, when they have access, where they have access to it and how they can access it

About the Author: Rick Comeau is Executive Director, Security Benchmarks division at the Center for Internet Security.

Possibly Related Articles:
Social Media BYOD cybersecurity risks
Post Rating I Like this!
abdul bari Chanessra This is an excellent post I seen thanks to share it. It is really what I wanted to see hope in future you will continue for sharing such a excellent post. Bellewaters Anchorvale
John Terry Excellent post! The information is just sensational. I am so glad that you gave me this wonderful post today. Please, continue this work! find facebook password start here
abdul bari Chanessra I am hoping the same best effort from you in the future as well. In fact your creative writing skills has inspired me.
abdul bari Chanessra Nice post. I was checking constantly this blog and I’m impressed! Extremely useful info specially the last part I care for such information a lot. I was seeking this certain info for a long time. Thank you and good luck.
abdul bari Chanessra I just got to this amazing site not long ago. I was actually captured with the piece of resources you have got here. Big thumbs up for making such wonderful blog page! girlfriend activation system exposed
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.