CSOs warned on internal security as eBay cleanup continues

A week after the breach of 145m eBay user accounts, the ongoing discovery of new flaws in the company's security defences has security software specialists renewing their calls for CSOs to implement better internal security practices.

The attack came, according to eBay, after a number of eBay user credentials were compromised and a database containing personal information stolen. A second vulnerability was subsequently revealed, and more are being discovered as security experts pore over the site's code.

Security researcher Lysa Myers, who has been looking into the attack as part of her work at security vendor ESET, noted that the separation of financial data from personal data had prevented the attack from being worse – but that the breach was still bad enough that it could well encourage eBay to follow Twitter and Google in offering users two-factor authentication as an alternative to simple password protection.

Companies seeking to limit the damage caused by potential ibreaches of internal credentials should look into using network segmentation to restrict inter-systems access, Myers said.

“Companies should be setting permissions within the organisations to only those thigns a user must access in order to do his or her job,” she advised. “For example, the HVAC vendor in the huge Target retail store breach should not have had access that enabled criminals to get to the point of sale terminals as this was clearly not necessary to perform their role as a supplier.”

The breach also reinforced the importance of encrypting sensitive data at rest, Myers added – a perspective shared by Paul Ayers, EMEA vice president with security firm Vormetric.

“Even though a portion of [the stolen data] was encrypted,” he said, “it appears a good deal was not and it is this kind of personal information which is often used by criminals to launch further attacks,” Ayers said.

“That the passwords were encrypted will come as little comfort to the millions of eBay users whose other data may have been accessed.”

Mike Malloy, executive vice president of products and strategy with security firm Webroot, said the delay between eBay discovering the vulnerability and informing its users was a “worrying trend, and reminiscent of other notable breaches in the recent past.”

With few companies earning sympathy for trying to keep their names out of the media, an effective response necessarily involves proactively informing customers so they can be aware of potential follow-on attacks as hackers seek to compromise them via email, SMS and phone. Information customers of a breack “and asking to change passwords, even preemptively, is the right thing to do,” he said.

Malloy also slammed companies' practice of treating non-password data with less care and security protection than they give to passwords. With many online and offline organisations using information such as date of birth as part of their verification processes, such information must be carefully protected to ensure it doesn't further a security compromise.

Ian Hodge, managing director of Dell Software Australia-New Zealand, noted that poor protection of internal access credentials often leaves organisations struggling to control their data.

“For too long companies have focused on external threats but threats don't always come from external sources,” he said, recommending that companies make regular audits of privileged user accounts and enforce strong passwords that are frequently changed.

“Knowing who has access to what and ensuring that uesrs are only provided with the lowest level of access required to perform a task, can further reduce the threat,” he explained.

“Often, data leaks can originate from employees, through intentional theft, lost or stolen mobile devices or accidental exposure. It is only by ensuring you take a holistic view to security that threats can be reduced.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Dont forget to register for the CSO perspectives Roadshow 2014 today seats are limited and we have some great speakers lined up.

Join the CSO newsletter!

Error: Please check your email address.

Tags vormetricTargetinternal securitypassword securityebayCSOpassword protectioneset

More about CSODelleBayEnex TestLabGoogleVormetricWebroot

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place