Data breaches, much like death and taxes, are a fact of life these days. They are getting bigger and uglier with each passing breach. There are massive that occurring on what seems like a daily basis.
I read breach reports as a part of my daily routine and I see themes developing as a result. The three main ones that I can’t help but see are the stolen equipment, bad passwords or patching.
Laptops get lost or removed by miscreants from the trunks of cars. More often than naught when I read about it in the data breach reports that involve stolen laptops there is a refrain that I can’t help but giggle about. “It’s OK, the laptop is password protected”. This is always a a curiosity to me as this is the equivalent of holding gauze in front of a semi truck and thinking that will stop it from running you over (hat tip to the late great Robin Williams).
To gain access to a Windows laptop which is password protected is extremely simple and there are no shortage of tools that accomplish this task. Some of the better ones are freely available.
The next source of breach I’ll label as bad passwords. This is a pervasive problem. When the password to get remote access to a system is user: $company and password: $company why would an attacker burn a zero day to break into a system? Further to this end is the awareness aspect. Attackers will using phishing attempts against their targets for the simple fact of the matter that humans will click links that catch their attention. We need to work harder at educating users to the risks in a way that will resonate with them.
The third persistent problem (and I mean truly persistent) is the patching problem. Everyone should patch their systems when security patches are released. Sadly, it seems that many are remiss in their duties. I have lost count of the number of companies that have been compromised as a result of a patch that was missed from several years earlier.
That was a brief run though of the things that I have seen crop up over the years which should come as no surprise. We can put up all the firewalls and so forth but, it’s all for naught if we fail to maintain our systems patching and configuration items. The aforementioned tackle some easy to address points. For laptops, encrypt them. For passwords, security awareness programs that are more than a poster of a toothbrush saying, “You wouldn’t share this would you?” and patching, just do it.
Seriously, patching. This is no surprise to anyone in the security field and should not be for anyone in IT. Sadly, it seems that we are due for a re-education.
It is amazing to me that I have been reading about breaches for so long that I’m now seeing data breaches from years gone by return to the headlines. Case in point, Dropbox and Last.fm. Both of these sites were compromised in 2012 and there were stories about it then. For some odd reason these are back in the headlines again four years after the fact.
So now, because of our collective missteps we see data breaches returning to haunt us. We need to do a better job of tackling the fundamentals to stop data breaches from going into syndication runs.