These Technology IT Security links are part of a weekly series, Ethical Hacker Roundup, featuring the information security and cyber security related articles that we’ve read over and thought worth sharing from the past week.
Claiming that he has acquired over 3 million Verizon customer records after gaining root access to one of its servers, a hacker named TibitXimer posted 300,000 of them on Pastebin. The records included names, addresses, mobile serial numbers, and various account data. All of the records had been stored unencrypted, and were easy to decipher in plain text form.
According to the hacker, he stole the records back in July in a pique of frustration with Verizon, which he claims did nothing to fix the gap in its defenses after he informed them of it – and still ostensibly haven’t. Though Verizon denies its servers were hacked, the data apparently relates to Verizon FiOS customers.
The latest reports from Verizon state that “an unnamed marketing firm” was to blame for accidentally making the data available online, and that the alleged hacker merely came across it and decided to claim he’d breached Verizon servers. Whether Verizon’s systems were directly breached or not, its sensitive customer data appeared on the web and its corporate image was negatively impacted.
On the third day of Christmas the Internet gave to me: two malicious e-mails, one spam campaign, and a partridge in pear tree… or so IT security professionals are anticipating. According to a recent server of over 270 IT security professionals, 61% said they felt their companies would be “more vulnerable” to cyberattack during Christmas, New Year’s and other major holidays.
Anecdotally it’s not clear that there actually are more web-based attacks on Christmas – cyberthugs are probably out shopping and partying along with the rest of us. But due to the heightened urgency of shopping, charitable giving and general fellow-feeling, there is a spike in phishing and spam campaigns, many of them specific to holiday themes. Identity theft is likewise seen to be more prevalent during the holidays. Also, many businesses have reduced IT staff on duty over the holidays, which could render their infrastructure more open to attack. “There are less eyes on hand to notice odd patterns in network usage, less hands on deck to handle a breach…”
How vulnerable is your company over the holidays? Not surprisingly, it’s the strength of your information security program that determines the answer, not the time of year. IT security professionals whose organizations have robust Information Security Management Systems can sleep more soundly during the holidays… and on all the days in between. If your program seems like it might be ready to dish out gifts to naughty hackers, consider appropriate penetration testing as a logical starting point.
2012: The IT Security “Year in Review”
At this point in the calendar, many bloggers and reporters put together a “10 best” (or “10 worst”) article that highlights important events and trends in the preceding twelve months. Looking back, 2012 had no shortage of high-profile security breaches in nearly every sector, as IT security was frequently in the forefront of both the trade press and popular news.
Here are several interesting “recap” articles worth checking out:
- Enterprise CIO Forum offers the Top 10 Security and IT Governance Articles of the Year, from a variety of sources. Topics run the gamut from addressing insider threats to developing a security awareness culture to interfacing with the Board of Directors.
- From ComputerWeekly.com comes the Top 10 IT security stories of 2012, which highlights how “knowledge and understanding of the latest attack techniques are lacking in many organizations.” Issues with user security awareness, successful targeting of new technologies (e.g., virtualized infrastructure and mobile devices), and the rising cost of data breaches are other “recurring themes” cited.
- McAfee blogged about the Top 5 Security Trends of 2012, with an emphasis on widely publicized events. Threats to banks and their customers, mobile device users, and consumers of public IT infrastructure (e.g., LinkedIn and Dropbox customers impacted by those widely publicized breaches) are a recurring theme here.
There are a variety of other security assessments that we can perform that will help you know you’re secure and prove you’re compliant. We have the right combination of Information Security/Compliance domain expertise, technology industry knowledge and experience, and organizational character to help you define and execute on the best course of action. See how we can help.