Another Giant Falls – eBay Hack Exposes Personal Information of Up To 145 Million Users
Once again, a corporate behemoth found itself making headlines for all the wrong reasons this week when it came to light that eBay had been successfully hacked about a month ago and up to 145 million users had their personal information exposed in one of the largest data breaches in history. Joe Caruso, founder and CEO/CTO of Global Digital Forensics, sheds some light on how these mega breaches keep happening and discusses the costly fallout that can accompany data breaches of any magnitude, as well as some steps companies can take to better protect themselves.
Does Size Matter? Not in the Cyber World
It’s not supposed to be easy to compromise the network(s) of a corporate entity with the size footprint eBay has globally, but as was reported earlier this week by Reuters and most major news outlets on May 21st, it did indeed happen. Companies of this size are typically trusted by the public to have all their ducks in a row when it comes to their cyber security posture, and they do spend vast resources and have personnel dedicated to the task of keeping their customers’ data safe. But then how do names like eBay, Target, Neiman Marcus, Michaels and a slew of others keep finding themselves putting out the costly fires that inevitably follow a mega breach? Global Digital Forensics (GDF) founder and CEO/CTO, Joe Caruso, says, “More often than not, the chink in the armor is not the technology, the desire or the will, it’s the human element that proves fallible. All it takes for hackers to get their foot in the door is one individual not paying close enough attention, or worse yet, lacking regular awareness training on what to watch out for. Social engineering is the most powerful tool in a hacker’s arsenal today, from phishing and spear phishing campaigns, to bogus ads and popups that lead users down a very dark road that ends in the delivery of malware like rootkits and RATs (Remote Access Trojans). Once this kind of malware gets introduced to the corporate network, or network credentials are unknowingly gleaned from even one user, it will soon be time to notify all their customers, vendors and investors, call the lawyers and call the publicist, because things will be getting ugly fast, and the corporate reputation is going to take a beating. The initial reports on the eBay hack mentioned a few users being compromised which led to the successful breach, so once again, the proof is in the pudding.”
The Three Golden Words to Improve Cyber Security – Test, Learn, Strengthen
“At GDF, we’ve been helping clients bolster cyber security for over two decades, and we’ve seen it all. It is because of that invaluable experience that we take the social engineering aspect very seriously when we perform vulnerability assessments and penetration tests, which is basically us assuming the role of real-world black-hat hackers to infiltrate a company’s network so we can identify the weak links in the security chain, without the client having to suffer the real-world consequences. We’ve never been unsuccessful in accomplishing a compromise during the social engineering phase of our testing. And I can tell you this, nothing has a more powerful impact for raising user awareness enterprise wide than when we catch personnel red-handed after designing a bogus website, and launching a spear phishing campaign that typically gets anywhere from 20% to 90% of a company’s work force to take the bait. Hackers have been honing their skills and improving techniques for years and they are very good at it, but so are we. It’s also a powerful lesson on the second biggest problem we find in many organizations we are called in to test - the weak password problem that still dominates the corporate world. When employees give up their credentials during our social engineering testing, being able to call out “John Smith” and his “abc123” or “qwerty” password leaves a sting he won’t soon forget, and presto, he starts using strong passwords from then on, strengthening the entire organization as a whole.”
Emergency Response – Making the Right First Steps is Crucial
“In a world of magic wands, unicorns and pixie dust, maybe there is such a thing as perfect cyber security protection, but we all know that’s not the world we live in. The best we can do is make it extremely difficult for hackers to breach a network by identifying every weakness we can and significantly improving awareness for each and every user within an organization. That will thwart the vast majority of threats every business faces on a daily basis, but if the unthinkable does happen and a breach does occur, an organization’s survival will depend on their response. That’s why we have a network of emergency responders on call 24/7 every day of the year, strategically positioned across the country, and the globe, so we can respond within hours, not days, and many times even start the process remotely right away, to quickly and effectively identify the attack, stop it in its tracks, eradicate it and help clients immediately begin the damage control phases of notification, dealing with regulatory compliance issues and calming anxious customers, vendors and investors by being able to detail exactly what happened, what is being done and what new improvements will be made to prevent any type of similar incident from happening again in the future. Silence is a killer when it comes to public perception, and the faster you get in front of the squall, the less damaging the effects will be on the organization, and that means significantly lower costs in the long run and much better chances the organization will actually survive the event. So the best advice is to make the choice today to do something about it, and sleep easier knowing you’ve got the right plans already in place. It just takes one call, you just have to sit down and actually make it.”
Customized Cyber Security Solutions are the Smart Choice
Global Digital Forensics is a recognized industry leader in the fields of cyber security and emergency incident response, with years of experience assisting clients in the government, banking, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a cost-effective plan which will meet your unique needs, without wasting resources on solutions you simply don’t need. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to get help. For more information, visit our cyber security page.