Dara Security

How Easily A Breach Can Occur

June 20, 2014

You've heard about a security breach happening to a company you never thought it would happen to. You ask yourself, "How could they be so vulnerable?" If companies who pay top dollar for their security can experience a breach, then imagine how exposed your company data might be.

Breach Scenario #1

A therapist is gathering patient files for review. Suddenly he receives a call from the ER that his son was just admitted, and he needs to be there now. He throws the files into his briefcase and rushes out the door. Frantically searching for his keys, he places his briefcase on the roof of his car. Realizing he left the keys in the office, he runs in to get them. Returns to the car. Jumps in and speeds off, forgetting about the briefcase full of patient files once on the roof of his car, but now strewn on the road.

Breach Scenario #2

A database administrator on a delayed flight with just a few minutes to exit the plane and sprint to his next gate, leaves his iPad in the seat pocket for seat 11C. The next passenger is surprised to find the gift of an iPad included in his ticket price. A quick perusal of the iPad finds that it is unlocked and hasVPN access to the database administrator's corporate network and to the databases he manages.

Breach Scenario #3

A CFO, at home, receives an email to his personal email from his corporate help desk stating they are upgrading the remote access capabilities and need for him to click on the provided link and enter his user ID and password, which he does. Unfortunately, the email was a spear-phishing attack (an email-based attack directed toward specific individuals), and he entered his credentials into a server owned by a hacker. To make matters worse, the CFO's password is the default password issued by the help desk for new users and for resetting user accounts. Using the CFO's credentials, the attacker compromised the company's network and quickly found that 25% of the company uses the same password. There was no policy in place to force initial or periodic password changes.

Breaches Can Happen Anywhere At Any Time

Each one of these scenarios is true. Occurrences like these happen every day in cities of all sizes and to all types of companies. The first two breach scenarios occurred in Reno, Nevada. Luckily for the therapist and database administrator, I found the briefcase and the gift of the iPad and promptly contacted and returned the items. But regardless, the exposure of the patient files in the briefcase (returned or not) is technically a breach per the HIPAA privacy laws. If a person with malicious intent had found the briefcase or iPad, who knows what havoc could have occurred. The third breach scenario was fortunately carried out by Dara Security as part of a social engineering test to evaluate our client's company environment. (Do not worry. The company gave us approval to discuss the test's outcome in order to educate others). If the attack had been carried out by a hacker, the company would have had to spend thousands (if not hundreds of thousands) of dollars in capital expense and several months of man hours to recover.

With the news constantly bombarding us with the breaches of large organizations like Target, Neiman Marcus, and now PF Chang's and focusing on the complex technical steps the hacker took to breach the environment, one overlooks how easily a breach can occur and begins to believe they are immune because their company is just not big enough. The fact is, everyone is a target. If you are on the Internet, use social media, big business, small business, or even just a person at home, you are target. Only through constant vigilance and building of sound processes and habits can one achieve a level of security.

Defending A Breach Takes Expertise

It's like I tell my son about driving a stick shift. It does not become easier or simpler with time, it becomes habit. How much gas to give the engine to get out of first and when to change gears requires much practice until it becomes a part of how you drive. It is the same with security. It has to be something you practice every day so it becomes part of your everyday activities. If you don't, then you are that guy in the car, stalled at the red light with a flooded engine.

Let Dara Security help you ward off hackers and a potential data breach. We offer security system reviews and audits as well as professional services to fend off or recover any lost data. Call us today!