Tuesday, December 30, 2014

Top data breaches of 2014 and lessons

May - eBay [1, 2]
  • 145 million
  • The problem has been exploited at least from February
  • Information compromised - encrypted passwords, usernames, emails, DoBs, phone numbers, postal addresses
  • How - eBay allows sellers to use active content such as Javscript and Flash. Hackers have embedded password harvesting scripts in listings and used XSS attack to gather information from logged in users
  • Lessons  - If you allow active content in your web site, you need to have preventive (such as limiting what is allowed) as well as risk mitigation techniques (detection, monitoring, etc.) in place. If not, it is better to block active content.

September - Home Depot [1]
  • 56 million
  • Information compromised - credit and debit card numbers
  • How - resulted from the compromise of a third-party vendor
  • Lessons - Organizations should evaluate the security measures taken by third-party vendors and also have intrusion detection in place.

September - JPMorgan Chase [1, 2]
  • Attack discovered in July and disclosed in September
  • 76 million households (83 million accounts)
  • Information compromised - names, addresses, phone numbers and email addresses
  • How - Hackers got access via a neglected server which is not upgraded to two factor authentication
  • Potentially took 2 months to notice unusual activities after the initial attack
  • Lessons - Security is only as strong as the weakest link in your system. Make sure you do not leave any unguarded holes in your network. Cannot emphasize more of the need for better and faster detection techniques in place.

December - Sony Pictures [1]
  • Number of people affected is still not known
  • Attack initially detected in November
  • Information compromised - unreleased movies, company emails, executive salaries, personal information, internal strategy information
  • How - wiper malware (still it is not known how it got into the system). It is likely that lapses in internal security measures may resulted in this attack.
  • Lessons - Never take security lightly. Internal security measures and auditing should always be a top priority.

5 comments:

Blogger said...

BlueHost is ultimately the best hosting company for any hosting services you might need.

gowsalya said...

I wish to show thanks to you just for bailing me out of this particular trouble.As a result of checking through the net and meeting techniques that were not productive, I thought my life was done.Digital Marketing Training in Chennai

Digital Marketing Training in Bangalore
Digital Marketing Training in Pune

Mouni yoga said...

Very good brief and this post helped me alot. Say thank you I searching for your facts. Thanks for sharing with us!
AWS Training in chennai

AWS Training in bangalore

ragul ragul said...

I appreciate your efforts because it conveys the message of what you are trying to say. It's a great skill to make even the person who doesn't know about the subject could able to understand the subject . Your blogs are understandable and also elaborately described. I hope to read more and more interesting articles from your blog. All the best.
Blueprism training in annanagar

Blueprism training in velachery

Blueprism training in marathahalli


AWS Training in chennai

Ezhil K S said...

I simply wanted to write down a quick word to say thanks to you for those wonderful tips and hints you are showing on this site.

Data Science Training in Chennai
Data science training in bangalore
Data science online training
Data science training in pune