If I asked you about your company’s efforts to promote cybersecurity, what would your answer be? And how would you answer if I asked about the types of mistakes and incidents that hurt your security and make you vulnerable?
I think these are good things to think about at times when you aren’t in the midst of a security incident or facing budget issues. But I also want you to think outside the box for a moment. What are some of the little things you are doing that might be putting you at risk, the things that you never would have thought twice about before? You might be surprised at the ways we make our networks and data vulnerable. Here are a few situations I came across recently that show how the smallest slip-up has the potential to turn into a serious security incident.
Let’s start with one I discussed right after it happened: Information about nearly 200 million registered voters was made easily available because a company that had the data forgot to reset the password after a routine software upgrade.
Earlier this week, Dow Jones unwittingly exposed sensitive information of approximately 4 million customers because a cloud security leak, as eSecurity Planet explained:
"The exposed data repository, an Amazon Web Services S3 bucket, had been configured via permission settings to allow any AWS 'Authenticated Users' to download the data via the repository's URL," UpGuard cyber resilience analyst Dan O'Sullivan wrote in a blog post examining the breach. "Per Amazon's own definition, an 'authenticated user' is 'any user that has an Amazon AWS account,' a base that already numbers over a million users; registration for such an account is free."
That wasn’t the only cloud security issue we’ve seen in the past couple of weeks. Verizon also had its own security incident with AWS. Again, UpGuard discovered the leak that was by NICE Systems, a third-party contractor Verizon was working with. According to CNN:
The incident stemmed from NICE security measures that were not set up properly. The company made a security setting public, instead of private, on an Amazon S3 storage server. This means Verizon data stored in the cloud was temporarily visible to anyone who had the public link.
My final example comes from Samsung, which left customer information vulnerable because the company allowed a domain that controlled a stock app to expire, as Motherboard explained:
By letting the domain expire, Samsung effectively gave anyone willing to register it a foothold inside millions of smartphones, and the power to push malicious apps on them, according to João Gouveia, the chief technology officer at Anubis Labs. Gouveia says he took over the domain Monday.
As Varun Badhwar, CEO and co-founder of RedLock, told me in an email comment, data leaks like this are becoming all too common today, adding:
And the troubling fact is that we’ll most likely continue to see these types of incidents at increasing rates in the near future. RedLock research suggests that there’s much more confidential information openly available on the web due to public cloud misconfigurations than we currently know about – 40 percent of companies have exposed a public cloud resource due simply to incorrect configuration settings.
So I ask again, what types of mistakes are you making that could hurt your security? It may be the small things that fall through the cracks.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba