The top three causes of security breaches: Part 1 of 2

In most instances, security attacks could be avoided with a little consideration.
  • Jarrod Loidl (CSO Online (Australia))
  • — 13 December, 2011 13:50

It's been an interesting year for those following information security news. We started the year with the Vodafone breach, one of the largest privacy breaches ever experienced within Australia.

Then RSA were compromised using a zero-day exploit off the back of a poorly crafted social engineering experiment. Sony promptly followed, and then a slew of others were hit by Lulzsec, Anonymous and similar hacktivist groups.

HBGary Federal was looted and pillaged in what can only be described as the worst "ownage" of any company I've ever seen or heard about (although the number of times Sony was owned should be humiliating).

The list this year grows long and large, and these are only a few of the bigger examples.

Looking at these breaches, I think it is a useful exercise to examine how they were attacked, and how they might have prevented it. In most instances, the attacks could have been avoided with a little consideration.

  • SQL Injection

    The attacks against Sony were found to be caused by SQL injection vulnerabilities on most of their websites. As the attackers pointed out, such vulnerabilities could be found using automated software, and because these could be conducted blind, it suggests that that Sony never conducted any penetration testing of their sites.

    The foothold Anonymous held on the HBGary Federal network was also via SQL injection. Without this vulnerability, the HBGary Federal hack may have never been possible.

  • Sloppy Password Practises

    Weak passwords are an open invitation to hackers and pen-testers alike. A weak password can be guessed or brute-forced. Password hashes for weak passwords can easily be determined using rainbow tables. If those passwords are known and used on other systems, an attacker can leapfrog from host to host, application to application and pillage an entire network.

    The HBGary Federal scandal was a remarkable example of how bad password re-use can be. Anonymous gained access to most of HBGary Federal's infrastructure via staff accounts on websites like LinkedIn and Twitter. Likewise, sharing passwords was ultimately, what led to the Vodafone privacy scandal as well.

  • Social Engineering

    It's almost impossible to develop a strategy for managing social engineering. Skilled attackers can target specific individuals within an organisation and tailor their attack to the intended victim. The RSA attack was triggered by deceiving RSA staff into opening an email purportedly containing pay details of RSA staff in an Excel spreadsheet, which contained the exploit. While stopping zero-day exploits are virtually impossible, I will suggest that social engineering attacks are a far more likely scenario everyone should work to prevent.

    Likewise, a system administrator for rootkit.com was tricked into providing the root password which resulted in rootkit.com being compromised. Detecting such attacks can be challenging, it often requires more than an ability to spot poor grammar and spelling, but it’s not impossible.

    For any organisation serious about evaluating its existing security posture, conducting a penetration test that evaluates internal and external controls is crucial. Allowing testers to conduct social engineering attacks should also be encouraged. Attackers gunning after your network will not be constrained — why would you try to constrain your testers? Broadly scoped tests give businesses the best bang-for-buck. And all of the attacks detailed hear could have been identified by any moderately skilled penetration tester in advance.

    While many IT Security Managers and CSOs often fear the findings, they should be viewed as an annual health check and accepted as part of good governance. After all, if a serious vulnerability in your network can be described as cancerous, when would you rather find out? Early days when you can fix it, or at the last minute on the front page news, after an attacker has found it for you?

    My next article, I will explore mitigating defenses against these attacks in more detail.

    Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: security breaches
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Security Risk Management Solutions

Protect resources and ensure security compliance through incident detection, response, and remediation.

more »

Submit your own security event

Submit your training courses

Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.

Read More
more »