This content is part of the Essential Guide: Understanding and responding to POS malware

Breaches show information security fundamentals prove hard to learn

News roundup: Heartbleed vulnerabilities, point-of-sale malware and phishing scams are nothing new, yet numerous companies continue to fall victim to them. Shouldn't the lesson be learned by now? Plus: HTTP Shaming, Dropbox improvements and more.

It seems like a week can't go by without hearing news of another data breach. Amid Heartbleed vulnerabilities,...

point-of-sale malware and phishing scams, one would think that enterprises would learn from others' mistakes by refocusing on information security fundamentals.

Yet, unfortunately, some security lessons just aren't being learned.

A breach revealed this week at Community Health Systems Inc. exposed the sensitive data of 4.5 million patients. It was later reported that the OpenSSL vulnerability Heartbleed was to blame; reports suggest the exploit occurred on a Juniper Networks Inc. VPN product that was not properly updated after news of the coding vulnerability broke in April of this year. While speculation persists, some suggest that had CMS implemented Juniper's patch, the breach may have been prevented or at least mitigated.

But it's not only Heartbleed causing problems. Last week two major supermarket chains -- SuperValu Inc. and AB Acquisition LLC -- separately revealed that customer credit card information may have been stolen during a network intrusion. Then yesterday UPS confirmed that it was hacked earlier this year as an effect of point-of-sale (POS) malware. If POS malware sounds familiar, it should. It was the Kaptoxa POS malware that was at the heart of last year's Target breach, which affected up to 70 million customers.

Several other companies -- including Neiman Marcus, PF Chang's China Bistro and Michaels Stores Inc. -- have also fallen victim to similar breaches.

In most, if not all,  of these instances, the breaches could have been avoided or at the very least had the effects lessened had companies heeded warnings and taken a closer look at potential vulnerabilities in their own systems when the initial breaches occurred.

After the Target breach, US-CERT in conjunction with the U.S. Department of Homeland Security released a report outlining not only the steps hackers were taking to infiltrate systems, but also how enterprises could mitigate and prevent such attacks. Numerous articles have also been published to help organizations defend against POS vulnerabilities, and, truth be told, protection strategies haven't changed much in the past decade. Strong passwords, firewalls and antimalware are critical to security success, as are using patched and updated systems, restricting access and not closely governing remote access.

In the case of Heartbleed, as soon as the OpenSSL vulnerability was found, the website began publicizing the issue and offered information to help businesses and individuals recover and prevent issues. Sadly, many organizations did not follow the advice; if they did, it did not happen quickly enough.

And let's not forget phishing -- how many times have these scams created issues for companies? A report from NextGov states that employees at the United States Nuclear Regulatory Commission were the most recent phishing victims, tricked into divulging their login details in a series of phishing emails, which subsequently led to three different intrusions over the past three years. Mitigating phishing and other social engineering scams don't even require software upgrades or expensive investments -- merely security awareness training and employee compliance, yet organizations fall prey to this tactic again and again.

Security managers and organizations would do well to take a minute to stop and read the lessons that recent history is teaching them -- these lessons may hold the key to preventing the same issues from happening within their own enterprises.  

In other news:

  • A new website aptly named HTTP Shaming publicly humiliates websites and applications using unencrypted communications (HTTP) that potentially put sensitive user data at risk. Site creator Tony Webster said the aim of the project is to get sites and apps using HTTP to migrate to the more secure HTTPS. So far, AT&T, the Parliament of Australia, KeePass and Adobe Systems Inc. are among the organizations that have been called out.

    The website HTTP Shaming illustrates how Adobe Flash Player downloads software updates over unsecured HTTP.The website HTTP Shaming illustrates how Adobe Flash Player downloads software updates over unsecured HTTP.
  • The popular file-sharing service Dropbox announced on Tuesday that it was adding three new features to its Dropbox for Business program: View only permissions for shared folders, passwords for shared links and expirations for shared links. The changes come months after mainstream media revealed Dropbox could potentially leak private data.
  • A group of security researchers from Georgia Tech made a presentation on Mimesis Aegis at the USENIX Security Symposium in San Diego this week. The Latin name roughly translates to "imitation shield." It is a new approach to user data privacy that creates a "transparent window" on top of applications, preventing unencrypted data from leaving the device. Currently, MAegis works on Android devices and supports cloud services including Gmail, Facebook Messenger and WhatsApp.
  • ISACA and the Institute of Internal Auditors (IIA) have released a report urging members of corporate boards of directors to actively take part in enterprise cybersecurity. The report "provides the practical guidance that board members need to become active partners in battling cybercime," IIA President and CEO Richard Chambers stated in a press release. The report details strategies and advice to help board members establish enterprise risk management strategies, communicate effectively with management teams, stay on top of cybersecurity situations and more. The report comes as security experts say that a lack of security education, not awareness, is holding board members back from taking more active roles in information security programs.

Next Steps

Learn more about life after Heartbleed

Gain insight into the preventable RAM-scraping attacks

Need phishing defense lessons? Start here

HTTP vs. HTTPS: Calculating the tradeoff

Do enterprise-grade features make Dropbox enterprise safe?

Dig Deeper on Data security breaches