The 12 IT Security Hacks of Christmas

Although 2013 is remembered as the “year of the retailer breach,” in 2014, no industry is left out. With IT security breaches totaling over a half billion records in 2014, companies like Adobe, Ebay, JP Morgan Chase, Home Depot, AOL, NASDAQ and even Google joined the fold.

In spite of this staggering number and last year’s holiday breaches, many retailers remain underprepared. Staggeringly a security firm, BitSight Technologies estimates fifty-eight percent of retailers are less secure today compared to last year.

To prevent holiday hackers, this blog relates the 12 Hacks of Christmas guaranteed to wake up your board of directors and executive management teams.

According to Forbes, a security breach is the number one reason to fire a CIO. The failure to secure company data and assets will cost you your job. Target’s holiday breach demonstrates the price of such a fiasco and new order. They quickly replaced CIO, Beth Jacobs with an information technology adviser from the U.S. Department of Homeland Security.

Brian Kreb’s estimates one to two million credit cards were stolen from Target and successfully sold on the black market in a matter of days. These cards were used for fraud before banks could cancel them. Krebs puts the cost to credit unions and community banks for reissuing 21.8 million cards, about half the stolen total, at $200 million.

In the 2014 Trustwave Global Security Report, the survey indicates the median number for organizations to detect an intrusion is eighty-seven days or approximately three months. Just as alarming, seventy-one percent of the companies did not detect the breach themselves. Once detected, the medium number of days from detection to containment took seven days according to the report.

The 2014 Cost of Data Breach Study: Global Analysis conducted by the Ponemon Institute, reports four factors that decrease the cost of a breach. The study points to a strong security posture along with incident response planning, business continuity management, and a CISO with enterprise-wide responsibility can reduce the cost by as much as forty-two dollars per record.

Last year five retailers, Michaels, Neiman Marcus, Sears, Target, and Zappos reported security breaches between November and the end of January. In an analysis by Imperva, a network security company, they report attacks against retail sites increased by 264% from November 14th, 2013 to January 9th, 2014. Clearly, cyber criminals are more motivated during the holidays.

The Trustware Security Report identifies the oldest vulnerabilities as the most useful to attackers. Some techniques have been around since the year 2000. They include:

• Man-in-the-middle (MitM) attacks
• Legacy attack vectors
• Layer 2 attacks such as ARP spoofing
• Unencrypted protocols for transmitting sensitive information
• Legacy protocols such as Unix ‘rsh’ and ‘rlogin’ services
• Misconfigured network access rules and controls

The Ponemon Institute Data Breach Study reveals most data breach are caused by a malicious insider or criminal attack. Over the next 12-months, companies anticipate spending on average seven million dollars on security. However, the study advocates the ideal amount to invest over the next twelve months necessary to execute on their IT security strategy averages fourteen million dollars.

The Verizon 2014 Data Breach Investigations Report shows eight percent of security incidences result from insider and privileged account misuse. The report cites most crimes by trusted parties are perpetrated for financial or personal again. 2013 saw an increase in insider espionage targeting internal data and trade secrets using a broader range of tactics.

During 2014, the cost of IT security breaches increased by nine dollars per data item according to the Ponemon Institute Study. In 2013, the average cost for a compromised record containing sensitive information increased by more than nine percent from $136 to $145. In Germany and the United States, the 2014 cost was $195 and $201 per data item.

From the Symantec Corporation Internet Security Threat Report 2014, it lists the top ten types of information breached as follows:

1. Real Names
2. Birth Dates
3. Government ID Numbers (Social Security)
4. Home Address
5. Medical Records
6. Phone Numbers
7. Financial Information
8. Email Addresses
9. User Names and Passwords
10. Insurance

The Verizon Investigations Report cites a consistent increase in reported organized crime incidences. They note a tripling of incidences over the previous year with the Public, Professional and Manufacturing sectors hit the hardest. Organizations are targeted, because of their contracts and relationships with other organizations. Criminals also seek information related to intellectual property, technology, and business processes.

The Department of Homeland Security views the lack of people with cyber security skills requires urgent attention. To be blunt, there are simply not enough qualified security professionals to hire. With the demand for cyber security experts growing at twelve times the rate of the overall job market, the development of talent is a national security issue.

There you have it. The 12 IT Security Hacks of Christmas. May you use this information to experience a safe and secure holiday.

Merry Christmas to all from Avatier.

Get the Top 10 Identity Manager Migration Best Practices Workbook

Start your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.

Request the Workbook