Information Security Blog

Hack Attacks Don’t Take A Holiday as 2012 Ends


0 Flares

0 Flares


×

These Technology IT Security links are part of a weekly series, Ethical Hacker Roundup, featuring the information security and cyber security related articles that we’ve read over and thought worth sharing from the past week.

These articles were emailed to us, shared on Twitter @pivotpointsec and our Google+ page, and read in RSS subscriptions this week.

Hacker Dumps 300,000 Verizon Customer Records onto Pastebin

Claiming that he has acquired over 3 million Verizon customer records after gaining root access to one of its servers, a hacker named TibitXimer posted 300,000 of them on Pastebin. The records included names, addresses, mobile serial numbers, and various account data. All of the records had been stored unencrypted, and were easy to decipher in plain text form.

According to the hacker, he stole the records back in July in a pique of frustration with Verizon, which he claims did nothing to fix the gap in its defenses after he informed them of it – and still ostensibly haven’t. Though Verizon denies its servers were hacked, the data apparently relates to Verizon FiOS customers.

The latest reports from Verizon state that “an unnamed marketing firm” was to blame for accidentally making the data available online, and that the alleged hacker merely came across it and decided to claim he’d breached Verizon servers. Whether Verizon’s systems were directly breached or not, its sensitive customer data appeared on the web and its corporate image was negatively impacted.

Holiday Time is Hacking Time

On the third day of Christmas the Internet gave to me: two malicious e-mails, one spam campaign, and a partridge in pear tree… or so IT security professionals are anticipating. According to a recent server of over 270 IT security professionals, 61% said they felt their companies would be “more vulnerable” to cyberattack during Christmas, New Year’s and other major holidays.

Anecdotally it’s not clear that there actually are more web-based attacks on Christmas – cyberthugs are probably out shopping and partying along with the rest of us. But due to the heightened urgency of shopping, charitable giving and general fellow-feeling, there is a spike in phishing and spam campaigns, many of them specific to holiday themes. Identity theft is likewise seen to be more prevalent during the holidays. Also, many businesses have reduced IT staff on duty over the holidays, which could render their infrastructure more open to attack. “There are less eyes on hand to notice odd patterns in network usage, less hands on deck to handle a breach…”

How vulnerable is your company over the holidays? Not surprisingly, it’s the strength of your information security program that determines the answer, not the time of year. IT security professionals whose organizations have robust Information Security Management Systems can sleep more soundly during the holidays… and on all the days in between. If your program seems like it might be ready to dish out gifts to naughty hackers, consider appropriate penetration testing as a logical starting point.

2012: The IT Security “Year in Review”

At this point in the calendar, many bloggers and reporters put together a “10 best” (or “10 worst”) article that highlights important events and trends in the preceding twelve months. Looking back, 2012 had no shortage of high-profile security breaches in nearly every sector, as IT security was frequently in the forefront of both the trade press and popular news.

Here are several interesting “recap” articles worth checking out:

  • Enterprise CIO Forum offers the Top 10 Security and IT Governance Articles of the Year, from a variety of sources. Topics run the gamut from addressing insider threats to developing a security awareness culture to interfacing with the Board of Directors.
  • From ComputerWeekly.com comes the Top 10 IT security stories of 2012, which highlights how “knowledge and understanding of the latest attack techniques are lacking in many organizations.” Issues with user security awareness, successful targeting of new technologies (e.g., virtualized infrastructure and mobile devices), and the rising cost of data breaches are other “recurring themes” cited.
  • McAfee blogged about the Top 5 Security Trends of 2012, with an emphasis on widely publicized events. Threats to banks and their customers, mobile device users, and consumers of public IT infrastructure (e.g., LinkedIn and Dropbox customers impacted by those widely publicized breaches) are a recurring theme here.

IT Security

There are a variety of other security assessments that we can perform that will help you know you’re secure and prove you’re compliant. We have the right combination of Information Security/Compliance domain expertise, technology industry knowledge and experience, and organizational character to help you define and execute on the best course of action. See how we can help.

0


Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Whitepaper: Five Best Practices for SIEM

siem-whitepaper

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

Free Download: A Best Practices Guide to Database Security

database security roadmap

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Is ISO 27001 Right for (Y)our Organization?

iso-27001-webinar

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Best Practices for Firing A Network Security Administrator

Firing A Network Security AdministratorWant to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Whitepaper: Stop Wasting Money on Penetration Testing

penetration-testing-whitepaper

Penetration Testing is most frequently performed to:

  • Substantiate the net effectiveness of a mature control environment
  • Prove to a third party that an environment is secure/trustworthy
  • Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
  • To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

About the Author:

Marketing at Pivot Point Security

Add a Comment

0 Flares Twitter 0 Facebook 0 Google+ 0 LinkedIn 0 Reddit 0 StumbleUpon 0 Email 0 0 Flares ×