No Summer Break for Learning Lessons From Recent Data Incidents

Recent data incidents provide learning opportunities for organizations, including credit unions, to take risk management actions. In the second of two articles, experts offer guidance for dealing with cybersecurity issues.

The events involved Exactis, a data broker based in Palm Coast, Fla., which exposed a database containing almost 340 million consumer and business records; FastBooking, a Paris-based company that sells hotel booking software to more than 4,000 hotels in 100 countries, which revealed personal details and payment card data of guests from hundreds of hotels; and Ticketmaster UK that they admitted affected up to 40,000 customers.

Rebecca Herold, president of SIMBUS and CEO of The Privacy Professor, warned cybercrooks can use unsecured data on the internet – on webservers, in social media sites, and other places –in many ways, most of which are harmful to the associated individuals. “Don’t believe any organization that downplays this and tries to say such things as ‘There is no evidence that the data was misused, or ‘We don’t think those taking the data will do anything bad.’ No one knows! Because this data was out in the open for the taking, there could have been many different cybercrooks snatching it.”

Herold suggested credit unions need to ensure their own data put online is not at risk by regularly performing regular (at least annually, and when significant business operations and technology changes occur) data security risk assessments. They should also engage external auditors, if not their own internal auditors to perform a security audit of their servers, and of the applications involving customer data. “I also recommend occasional penetration testing and vulnerability assessments. Given the large number of international, Federal, state and local laws and regulations, credit unions may also have applicable legal requirements to do all these activities.”

Additionally, Herold warned now that all that data is out in the open, there will be many cybercriminals using it to do a wide range of phishing activities. “Credit Unions need to ensure their employees receive regular data security and privacy training in general, and specifically training to help them recognize and not fall for phishing attempts.”

The Privacy Professor also noted because Exactis is a third-party vendor it points out the significant risks that third parties bring to the organizations that hire them. “Credit Unions must implement a vendor risk management program that includes doing due diligence for existing, and potential, vendors to ensure that they have effective security controls in place.” credit unions should also check if they use Exactis for their own marketing, sales and data analytics activities.

Gene Fredriksen, chief information security strategist for St. Petersburg, Fla.-based CUSO PSCU, pointed out there were also third parties involved with Ticketmaster and FastBooking. It is a reminder credit union should also be suspicious about a third party. “That really hits on the importance of having properly secured servers.” He also warned about organizations gathering data using a research firms for geographic, income and ethnic profiling to learn about the people and their habits in a specific area. “You’ve got to assume the bad guys are doing it too. You’ve really got to look close.”

Matan Or-El, Panorays CEO and co-founder said the incidents raises a necessary. “Each company that deals with a third party, especially critical ones that hold customer and proprietary data, should consider the security strategy and practices of their third party.”

The Panorays CEO also suggested considerations include understanding the security posture of the third party’s public facing websites, servers and services, encryption protocols they use, and even the security measures and solutions that they place around their network.”

Setu Kulkarni, VP of corporate strategy at WhiteHat Security explained how digital logs create vulnerabilities, and how to prevent this? First think of Logs as the digital exhaust of applications and infrastructure. “They contain critical information about apps and infrastructure that, if made public, can expose all known and unknown vulnerabilities.

Kulkarni added. “More broadly, when using cloud-based infrastructure services – a new level of threat modeling is required that focuses not just on the applications, but also on the operating environment.” Therefore, establishing and following the chain of security is critical.

1. Secure the data.
2. Secure the applications that access the data.
3. Get strict with identity management.
4. Secure the endpoint (in this case, the Elasticsearch system should have been secured behind the network perimeter).”

Kulkarni also provided feedback on the FastBooking incident. “Web application development is a continuously evolving domain, given the need for creating and sustaining high user engagement. And in the pursuit of user adoption, web-delivered systems integrated via application programming interfaces create more complete, seamless and harmonious systems that simplify and aggregate otherwise complex and seemingly disparate interactions.”

As such, formal processes and best practices for developing modern software still require definition. “Companies should empower developers to code using security best practices in mind throughout the entire software development life cycle, with proper training and even security certifications,” Kulkarni held.

Jeannie Warner, security manager at WhiteHat Security, suggested to prevent breaches through third-party software, like in the case of Ticketmaster, organizations can follow a few simple steps including getting together with internal stakeholders to agree on acceptable vendor security standards; communicate the security standards to the vendors; and monitor the security status of third-party vendors at regular intervals.

“Every plugin which interacts with a transactional site deserves a security review in the decision process (code vs. buy). Hackers are finding that smaller companies that create useful plugin software are even easier to hack than the main site, due to the lack of rigor often found in smaller development shops,” Warner added.