The "We Take Your Security Seriously" Myth
According to reports since our last post, the U.S. State Department suffered a data breach. For obvious reasons, the department is keeping details close to the chest. However, they released a statement on it:
“The department takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected.”
At the same time, however, a security report from a joint Committee on Homeland Security gave the State Department the lowest grade available for their compliance with Federal cybersecurity standards. Among the report’s findings for the State Department were:
The State Department could not justify why 60% of the employees sampled by the Committee had access to the agency’s classified network.
The State Department had thousands of active accounts for employees who had left the agency.
26% (128 out of 487) of systems on the Department’s network did not require authentication to access. This issue was also identified by the Inspector General in 2015.
The Department did not have a software lifecycle management process to expire software that is no longer supported by the relevant vendor.
Vulnerability scans on the network revealed 450 critical risk and 736 high risk vulnerabilities.
This isn’t the first time that an organization has used the phrase “We take your security seriously” either. As far back as 2015, Troy Hunt documented numerous usages of the same phrase on his blog, where companies such as Plex, Anthem, Adult Friend Finder, Gaana, Samsung, eBay, the FBI, and Westnet used it in a statement following a data breach. Troy subsequently updated it with a new post in 2020 with more examples of the same statement. In fact, statements like this have become almost a running joke in the security community.
What’s the problem?
The main problem is that the statement often appears hypocritical. For the State Department, the published security report seems to contradict their statement directly. For other companies, follow up analysis and research showed that the companies were not following security best practices at the time of the breach, such as by keeping plaintext credentials in their user database, not patching systems, or using default passwords. Alternatively, the resulting remediation from the breach tends to focus on reputation management than any meaningful security improvements.
What’s the alternative?
After a breach, the best path is honesty and transparency.
Frank Blake was the CEO of Home Depot during their breach of 2014. In a statement to the Wall Street Journal after the attack, Frank said, “If we rewind the tape, our security systems could have been better. Data security just wasn’t high enough in our mission statement.”
Before a breach, the best path is to learn from Frank Blake’s mistake and prioritize security earlier. In other words, actually prioritize security instead of simply saying that you prioritize security.
Not sure where to start? Let us know how we can help!
T-Mobile is once again in the news for the wrong reasons as the mobile carrier announced that it has once again suffered a data breach. This time, around 8 million current customers and 40 million former customers’ data was affected, including names, dates of birth, license information, and social security numbers. The company was quick to add that password and PIN details were not affected.
Ransomware has struck a healthcare provider once more, as numerous hospitals and clinics in Ohio and West Virginia were forced to cancel non-essential surgeries and divert ambulances after a breach. According to Brett Callow at Emsisoft, ransomware and data breaches have disrupted healthcare at roughly 963 healthcare providers locations so far this year, as opposed to just 560 sites in all of 2020.
A misconfigured website at Ford gave security researchers access to treasure troves of internal data, such as customer PII, employee records, ticketing systems, and database tables. Moreover, the relevant issue was reported to Ford back in February 2021, who, according to the researchers, became unresponsive when the topic of public disclosure came up. The issue has only now come to the public’s attention because the time window for “forced disclosure” expired according to HackerOne’s policies. According to current reports, there isn’t any evidence that the issue was exploited by any malicious actors, raising questions about Ford’s disclosure responsibilities in this case.
Security researchers reported at DefCon that they found “a tractorload of vulnerabilities'' at big agriculture companies John Deere and Case New Holland. According to the presentation, researchers captured full control over the companies’ internal systems saying, “we could literally do whatever the heck we wanted with anything we wanted”. John Deere released a statement after the presentation repudiating most of these claims.
Cloudflare reports that they fought back against the largest Denial of Service attack ever to date. The attack peaked at 17.2 million HTTP requests per second, which is almost 3 times larger than the previously largest similar attack.
Google has published its fourth urgent upgrade in just two months, as seven High risk security threats were discovered in the Chrome browser, affecting all operating systems. Chrome users are encouraged to ensure their browser is up to date with the latest release.