It’s been a busy week for information security in the retail and hospitality sector. Earlier last week, InterContinental Hotels Group (IHG) acknowledged a credit card data breach that impacted more than a dozen properties across their hotel brands spanning the United States and the Caribbean. Similarly, fast food chain Arby’s disclosed on Friday that it had recently remediated a breach of data on up to 1,000 of their corporate-owned locations.
Businesses must take IT security seriously because their financial future depends on it. IT security is a broad topic that covers a range of different fields.
Here we'll discuss common vulnerabilities and why companies must ensure their operational systems are well-protected from cybercriminals.
"Interjection vulnerabilities are one of the most common and oldest web application vulnerabilities."
1. Injection vulnerabilities
Interjection vulnerabilities, such as cross-site scripting and CRLF injection, are one of the most common and oldest web application vulnerabilities because it's easy for cybercriminals to access and affect (or infect) them.
When it comes to cybersecurity, companies today typically have three options:
- Do nothing or the bare minimum, and hope that cyber attackers don’t find you.
- Keep your current cybersecurity posture as is, without consistent updating or monitoring (and hope cyber attackers don’t find you!).
- Consider EiQ’s hybrid security as a service to identify threats and vulnerabilities, mitigate risk, and achieve compliance.
Let’s look at each of these options.
Last week, it was reported by SiliconBeat that NASA’s CIO, Renee Wynn, had allowed an Authority to Operate (ATO) for a key network to expire because the network in question had over 15,000 critical vulnerabilities that had not been properly patched. The move was apparently intended to hold the contractor in charge of maintenance of the devices accountable for their contractual obligations by bringing visibility to the situation.
In a recent article on Credit Union Journal, I wrote about how to go beyond risk management to assess vulnerabilities in order to secure your data. It’s important to understand that vulnerability and risk are not the same thing. Risk is the probability of the vulnerability being exploited multiplied by the cost of damage it will cause. This is required for risk evaluation and will help you focus your remediation efforts as well as define compliance boundaries. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities especially in software and firmware. It works by analyzing computer systems for known vulnerabilities such as open ports, insecure software configuration, susceptibility to malware, etc.
Mistakes in the cybersecurity world have become a lot more expensive, particularly if you suffer a data breach. A new study done by the Ponemon Institute for IBM concluded that security breach costs $4 million per incident in 2016, a 29% increase from 2013. Furthermore, stolen records have climbed in cost as well, with the average loss per record now standing at $158. Stolen healthcare records have also risen dramatically, now $355 per record, up $100 from 2013. Additionally, the study revealed that the average time to identify a breach is now 201 days, and the average time to contain a breach is 70 days. Breaches identified in fewer than 100 days cost companies an average of $3.23 million and breaches found after 100 days cost considerably more, at an average of $4.38 million.
What Vulnerabilities Are Lurking in Your Organization?
Vulnerability assessment is the process of identifying, prioritizing, and remediating the vulnerabilities in computer systems and network infrastructure. Vulnerabilities are often caused by design flaws in software applications or by the misconfiguration of systems. Vulnerability assessment typically includes the following steps:
If your organization is subject to PCI DSS 3.2 compliance, you’re likely aware of the looming deadline mandating the migration away from the use of SSL and TLS v1.0 to a “secure” version of TLS, as defined by NIST (currently v1.1. or higher). The PCI Security Standards Council previously released a bulletin on the migration to help explain the reasons for the change and what steps are necessary. While the PCI Security Standards Council has extended the deadlines for compliance, there are very real reasons not to wait to make the move.
The Verizon 2016 Data Breach Investigations Report details findings pulled from a sampling of more than 100,000 incidents and 2,260 data breaches. The 85-page report is certainly worth a read for anyone interested in information security. For those in a hurry, here are a few of the key points I saw:
With bugs like the glibc vulnerability announced nearly every day, it’s important to consider how your organization handles vulnerability management. How do you know which of your critical systems are exposed to which new vulnerabilities? If you had only one server or device to keep track of, you might know all the details of the device’s configurations; which software is running, and which versions are installed. But even then, keeping up with the latest CVE announcements and identifying which of these affect your system may be overwhelming, particularly if maintaining the device is not your only job. If you’re like many of the IT professionals we speak with every day, you’re wearing many hats and fighting constant fires. Therefore, it becomes critical to construct a comprehensive vulnerability management program to protect your organization. Here are three things every security professional should consider when building a vulnerability management program: