Avoiding Monster.com-sized Breaches
Last Thursday, Monster.com announced it had suffered a data breach impacting the information stored in its resume database. According to a report published on ZDnet, the breach affected the records of 1.3 million job seekers.
While some headlines focused on the 5 days it took Monster.com to disclose the issue, Mike Rothman chose instead to provide a list of essentials you need to be able to address before going public.
- What happened
- How much was stolen
- Who was affected
- What you are going to do to make sure it doesn't happen again
Here's some of my thoughts on the issue:
What Should Breached Companies Do Differently than Monster.com?
Affected job seekers should have been notified much earlier than the five day period that Monster.com took. Users should have been made aware of the breach along with Monster's incident response strategy. It is imperative that customers whose data has been stolen be notified immediately, so that further countermeasures can be taken to protect other personal information.
How to Protect Your Network from Hackers
Companies should review file system security components and implement security controls to mitigate the risk of data theft.These components include but are not limited to:
· File System Permissions
· Access Management and Frequent Monitoring/Review
· Network Access Management
· Continuously inventory systems and servers; monitor them consistently to ID rogue devices
· Hardened Systems and Hosts by Updating Systems with appropriate updates, service packs and patches
· Protect DNS records
· Evaluate and Monitor ICMP traffic
Hacker Methodology
Hacking is a methodical process that includes several steps in order to "OWN" a system.
1. Phase I - Reconnaissance
2. Phase II - Scanning
3. Phase III - Enumeration
4. Phase IV - Gaining Access
5. Phase V - Escalating and Maintaining Access
6. Phase VI - Covering Tracks
7. Phase VII - Creating Back Doors
8. Phase VIII - Launching Additional Attacks
The Consumer Data Black Market
The following represent the going price for aquiring various types of consumer information via the black market:
· $980-$4,900 - Trojan program to steal online account information
· $490 - Credit card number with PIN
· $78-$294 - Billing data, including account #, address, Social Security number, home address, and birth date
· $147 - Driver's license
· $147 - Birth certificate
· $98 - Social Security card
· $6-$24 - Credit card number with security code and expiration date
· $6 - PayPal account logon and password
Some Final Suggestions
Overall, companies that store personal private data should implement strengthened security countermeasures to mitigate the risk of data breach. This is one of the cases where limited information stolen initially, could lead to the gleaning of more "valuable" Information.
Among the approaches a company should consider:
- Risk Assessment (RA): Companies must periodically assess the risk to organizational operations
- System and Information Integrity (SI): Companies must: (i) identify, report, and correct information and information system flaws in a timely manner; (ii) and (ii) monitor information system security alerts and advisories and take appropriate actions in response.
- Personnel Security (PS): Companies must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
- Physical and Environmental Protection (PE): Companies must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals.
Contributed by James Sayles
Comments