Why do companies keep getting hacked?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.fastcompany.com/3026672/the-code-war/why-do-companies-keep-getting-hacked

Two weeks ago, a respected crowdfunding site, Kickstarter, was hacked.
Snapchat was hacked the week before that. Skype's social media accounts
were targeted the week before that.

"These days, criminal hacking is a business," Patrick Thomas, a security
consultant at Neohapsis, tells Fast Company. "Everything that is done has a
chain linked to real dollars. And hackers are looking for the shortest
chain."

Sometimes, that entails stealing credit card numbers directly. Other times,
it's selling user emails and passwords en masse on the deep web. Whether it
involves an SQL injection or, in the case of Snapchat, the exploitation of
faulty script, these recent incidences again beg the question: Why do major
Internet companies keep getting hacked? Shouldn't we have learned our
lesson by now?

One reason: Human beings are still the weakest link in the aforementioned
chain to real dollars. "Humans can't be upgraded," says security blogger
Graham Cluley in a phone conversation. "You can't fix the bug in people's
brain that makes them click a link, or choose a really dumb password."

Take the recent Target hack, which leaked the personal data of 110 million
customers. The breach reportedly began as an email-based phishing scheme.
Although the retailer's consumer-facing website is well defended, hackers
were reportedly able to gain access into Target's corporate network by
using stolen authentication credentials from a subcontractor that dealt
primarily in air conditioning. Someone in that subcontractor's office
clicked something bad.

You can hardly blame them, though. Social engineering attacks over email
have been refined to a point that they're, at first glance, unremarkable.
They're now built to "sail right through spam filters," explains Thomas.
"It might look professional and well worded. It might use words from your
business. It might even look expected."

While the human element is an inescapable part of our hacking
vulnerability, the other, equally messy part of the equation is that
security is rarely a priority for the companies actually building software.
Developers would rather ship a product fast than spend time testing a
product for potential risks--as Wednesday's Tinder mishap perfectly
illustrates.

"The bigger problem is that security is just not top of mind for most
developers," says Chris Eng, vice president of research at Veracode. "It's
not something that has worked its way into a product's life cycle."

"What we have to do is build [security measures] earlier and earlier into
the cycle so that developers are aware of it," Eng adds.

In addition, the expertise of in-house security teams is a luxury many
developers simply don't care about, or can't afford. "There aren't enough
good InfoSec people to go around, and the employment rate shows that," says
Thomas.

Larger firms, on the other hand, often find themselves failing to have
incorporated proper safeguards into their core, existing infrastructure.
"Security really needs to come in from the beginning," Thomas says. "For
larger companies with huge established portfolios of applications, many of
these go back five, 15, 20 years to before many modern security practices
existed. Overhauling them is a tremendous mountain to climb."

Unfortunately, these shortcomings put more onus on the consumer to be extra
vigilant with their security--namely, their passwords, which are still
frequently recycled and used across multiple accounts. Imagine: What if
your eight-digit Kickstarter password was the same one used for your Amazon
account? Or your Bank of America login?

To be clear, even if Internet companies start making security a top
priority, breaches will still happen. And that isn't going to change
anytime in the foreseeable future. "I fear that because we can't roll out a
software patch for people's brains, this problem is one we're still going
to have in 100 years," says Cluley. "Fundamentally, we've been talking
about this problem for 20-plus years. And we haven't learned."

For now, it's up to more forward-thinking organizations like Kickstarter to
set the example by responding to security breaches as best they can, with
honesty and transparency. "The rapid response and ability to make what
transpired clear really to its users says Kickstarter had its house in
order before the breach," says Thomas.

Locks will be broken and messes will be made, which is why, going forward,
maintaining user trust will be more important than ever.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!