CSOs warned on internal security as eBay cleanup continues

A week after the breach of 145m eBay user accounts, the ongoing discovery of new flaws in the company's security defences has security software specialists renewing their calls for CSOs to implement better internal security practices.

The attack came, according to eBay, after a number of eBay user credentials were compromised and a database containing personal information stolen. A second vulnerability was subsequently revealed, and more are being discovered as security experts pore over the site's code.

Security researcher Lysa Myers, who has been looking into the attack as part of her work at security vendor ESET, noted that the separation of financial data from personal data had prevented the attack from being worse – but that the breach was still bad enough that it could well encourage eBay to follow Twitter and Google in offering users two-factor authentication as an alternative to simple password protection.

Companies seeking to limit the damage caused by potential ibreaches of internal credentials should look into using network segmentation to restrict inter-systems access, Myers said.

“Companies should be setting permissions within the organisations to only those thigns a user must access in order to do his or her job,” she advised. “For example, the HVAC vendor in the huge Target retail store breach should not have had access that enabled criminals to get to the point of sale terminals as this was clearly not necessary to perform their role as a supplier.”

The breach also reinforced the importance of encrypting sensitive data at rest, Myers added – a perspective shared by Paul Ayers, EMEA vice president with security firm Vormetric.

“Even though a portion of [the stolen data] was encrypted,” he said, “it appears a good deal was not and it is this kind of personal information which is often used by criminals to launch further attacks,” Ayers said.

“That the passwords were encrypted will come as little comfort to the millions of eBay users whose other data may have been accessed.”

Mike Malloy, executive vice president of products and strategy with security firm Webroot, said the delay between eBay discovering the vulnerability and informing its users was a “worrying trend, and reminiscent of other notable breaches in the recent past.”

With few companies earning sympathy for trying to keep their names out of the media, an effective response necessarily involves proactively informing customers so they can be aware of potential follow-on attacks as hackers seek to compromise them via email, SMS and phone. Information customers of a breack “and asking to change passwords, even preemptively, is the right thing to do,” he said.

Malloy also slammed companies' practice of treating non-password data with less care and security protection than they give to passwords. With many online and offline organisations using information such as date of birth as part of their verification processes, such information must be carefully protected to ensure it doesn't further a security compromise.

Ian Hodge, managing director of Dell Software Australia-New Zealand, noted that poor protection of internal access credentials often leaves organisations struggling to control their data.

“For too long companies have focused on external threats but threats don't always come from external sources,” he said, recommending that companies make regular audits of privileged user accounts and enforce strong passwords that are frequently changed.

“Knowing who has access to what and ensuring that uesrs are only provided with the lowest level of access required to perform a task, can further reduce the threat,” he explained.

“Often, data leaks can originate from employees, through intentional theft, lost or stolen mobile devices or accidental exposure. It is only by ensuring you take a holistic view to security that threats can be reduced.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Dont forget to register for the CSO perspectives Roadshow 2014 today seats are limited and we have some great speakers lined up.

Copyright © 2014 IDG Communications, Inc.

The 10 most powerful cybersecurity companies