by Josh Arrington
Security breaches, server attacks, data loss. No matter what headline, as you’ll see in this week’s IT Security Rewind post, it appears that hackers continue to follow similar patterns of infiltration and escalation.
Bank + Data Beach = Bad Combination: Banking organizations continue to be increasingly susceptible to data breaches. This week the latest victim was Citi Bank. Initial estimates have found that 200,000 customers are already affected. Despite the size of the breach, there is still no confirmation on the actual attack vector that was used to obtain access, but if you are a betting man (or woman) elevated privileges would be a safe bet.
Stuxnet—Plenty of Holes in This Story. The opening line to this ThreatPost article says it all—“The media storm over the Stuxnet worm may have passed, but many of the software holes that were used by the worm remain unpatched and leave Siemens customers open to a wide range of potentially damaging cyber attacks, according to industrial control system expert Ralph Langner.”
In the piece, Langner proceeds to claim that the media paid too much attention to the zero day Windows vulnerabilities that enabled the worm, but overlooked the other security holes that were exposed and utilized. One of those vulnerabilities that still exist is a hard coded password in Siemens WinCC. If uncovered and exploited, as has all too commonly become the case, this vulnerability can provide an attacker with unfettered access to a system’s network.
Insiders as a First Line of Defense: An interesting study out of the Ponemon Institute found that three quarters of UK organizations have suffered data loss in the past year. While these numbers include data that was compromised due to network attacks, or lost due to stolen equipment, the study does shine light on the lack of enterprise-wide employee awareness of data security best practices. According to the report, 53% of UK respondents surveyed believe their employees have little or no awareness about data security, compliance and policies. This data highlights a greater need for data protection strategies to include an emphasis on user awareness, “as people are often the first line of defense.”
What other security headlines do you think are worth highlighting this week?