Seven “Sins” of Cyber Security

Tuesday, May 07, 2013

Rick Comeau


While some of the cyber attacks making news lately are the result of sophisticated methods, many are not: they often take advantage of a lack of basic security protections. The 2013 Verizon Data Breach report notes that of the intrusions analyzed, 78% of the initial intrusions were rated as low difficulty. Let’s take a look at seven “sins” that organizations and users are committing that are leaving them vulnerable.

Mis-configured systems and unpatched systems/apps 

Many devices and systems technologies are configured to default settings “out-of-the-box,” which are often geared toward ease of use and deployment rather than security.  This results in vulnerabilities that are easy targets for hackers to exploit.  Similarly, if systems and applications aren’t being patched on a regular basis, they are vulnerable. Proper security-focused configuration controls and patching are critical, and should be a key layer in any organization’s defense-in-depth strategy.

Weak passwords

It’s hard to believe, but people are still using passwords such as “123456” or “password.” In addition to using weak passwords, another bad behavior being committed is password recycling – using the same password for multiple online accounts. Once the hacker gets the password, he can get access to all those other accounts too. Organizations must have policies and procedures that implement strong passwords and force a password change at regular intervals. Using a utility to store passwords may also help. Look for programs that use powerful encryption algorithms, keylogger and phishing protection, and lock-out features.

Untrained employees

Many attackers target users directly to gain access to an organization. Phishing attacks are still one of the most common methods – hackers keep using this technique because it works!  All users need training, minimally on an annual basis, to recognize and defend against the latest threats, including phishing and other social engineering scams. Of course, there is still no guarantee that a user won’t fall prey to a scam, and in that case, making sure that the organization’s systems and devices are as protected as possible (properly configured and patched), organizations can help minimize the vulnerabilities that an attacker could exploit.

Cloud Confusion

Organizations are moving more of their IT infrastructure into the cloud, but many do not really know what security protections are in place—nearly two-thirds of companies surveyedsaid they didn’t know how the cloud service provider was protecting sensitive data.It’s important to ask the questions:  What measures are in place to protect data? Who has access to the physical machine hosting your data? Where is that machine located?It’s also important to understand that placement of data in the cloud does not eliminate an organization's need to meet legal and regulatory requirements such as PCI or HIPAA.

Mobile Device Mayhem

The perimeter has dissolved, and security protections are dependent on each user with a mobile device, as every new smart phone, tablet or other mobile device provides another opportunity for a potential cyber attack. More than 44% of organizations surveyed recentlyallow BYOD and another 18% plan to by the end of 2013. This increases the cyber security risks—such as unauthorized access and malware infections— for an organization, particularly if it does not have control over the employee's personal mobile device. Organizations need to develop and enforce strong policies regarding use, and implement controls to protect the devices and data, including installing and maintaining security software and enabling passwords and device time outs.

Social Media Mania

The recent hack into the Twitter account at the Associated Press, which caused an immediate impact on the stock market, once again highlights the power—and vulnerability—of social media. The sheer volume of users and the information that gets posted on social media sites create plenty of opportunity for an attacker to use social engineering to gain access to individual accounts and organizations.  The sites are also key vectors for malware. Organizations must have strong policies regarding who and what gets posted on official organization sites, and also ensure the proper security controls are in place to protect the infrastructure.

Incomplete Inventory and Access Controls

How can you protect what you don't know you have? Many organizations are still not adequately inventorying their assets, conducting risk assessments to prioritize the criticality of those assets, or implementing proper access controls.  Ensure that data is classified with appropriate security controls. Know what data you maintain, who has access to it, when they have access, where they have access to it and how they can access it

About the Author: Rick Comeau is Executive Director, Security Benchmarks division at the Center for Internet Security.

Possibly Related Articles:
Social Media BYOD cybersecurity risks
Post Rating I Like this!
Mic Micac I am currently working on an assignment and I have been exploring your blog for a few hours. Thank you for your post it proved helpful for me.
Mic Micac Your article has a lot of great information and it has really helped me with my paper for a class I am taking. Do you have any other posts about this topic?
abdul bari Chanessra Your approach to this topic is unique and informative. I am writing an article for our school paper and this post has helped me.
abdul bari Chanessra Its a good post..keep posting and update the information.
abdul bari Chanessra I really appreciate that you wrote this article and shared some really good information on this specific topic. I was in vital need to get some information on this topic and thanks to you, I've got that! Thanks. how do you start a conversation with your ex boyfriend
abdul bari Chanessra I definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work. best way to reverse male pattern baldness
abdul bari Chanessra They will take an objective and recover a lot. We're not sure how to answer it, we're still testing extensively.
abdul bari Chanessra This is also a very good post which I really enjoyed reading. It is not everyday that I have the possibility to see something like this. the ten code gfas
abdul bari Chanessra This is the type of information I’ve long been trying to find. Thank you for writing this information.
Andrew David You have impressed me today. Your article here is staggering. I have not read an article like this in quite a lot of time. It's really mind blowing what you've done today. Keep it up! house cleaning coral springs
Andrew David World class stuff from you here, mate. This is mind blowing stuff, really. I just hope that you will continue this and give more articles like this. boca raton dentist</a
Andrew David Nice stuff you've composed here. Without any doubt I can say that this is, by far, the best article that I've read this month. Keep it up! [url=]fort lauderdale foreclosure[/url]
leijon 19 if you want to move from one location to another then Flexible Movers is the best moving company to get in touch with, we are one of the best moving providers in London that can do both small and big moves as well as Man and van hire services.
Andrew David Excellent stuff here, mate. Certainly, this is the best post that I've read all this month. Thank you for writing this important post. You just don't know how much you've helped me with this.
abdul bari Chanessra I found this is an informative and interesting post so i think so it is very useful and knowledgeable. I would like to thank you for the efforts you have made in writing this article.
usman ali I definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work.

Paypal Money Adder
usman ali There are such a lot of folks on Instagram that it may possibly be really hard to cut through the sound. But if you would like to get much more followers on Instagram, there are many confirmed tactics that may get you followers immediately and allow you to transform your written content to help keep them intrigued. "have a peek here"
Jason Croft I would like to thank you for the efforts you have made in writing this article.
John Terry What an amazing article this is to read, my friend. I am literally very pleased with your work here. You've shown real and true quality of precision and article writing today. Good thing to see!
John Terry Once again, you've managed to dazzle me with your quirkiness. You are one of the best writers of this era, mate. You earned that praise and you should keep your level up to it.
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.