This week we have a personal story for our readers. It’s a heartwarming tale of multiple mass data compromises, which affected yours truly. We’ll also discuss how major data breaches occur, and what you can do to protect yourself in the Age of the Large Data Breach.
Last week was special. It was the week before Christmas, the time when the Christmas feeling really kicks in, the weather cooled on cue, and presents began to populate the area beneath our Charlie Brown fake Christmas tree. Oh, and I received three notifications of compromise of my personal information.
The first notification I received was from a large federal organization which, ironically, handles the security investigations for government clearances. If you’re not familiar, the federal organization is the Office of Personnel Management, and OPM announced it was compromised in June of 2015, with the attackers possibly having access as early as March 2014.
My wife and I both received notices informing us our “name, Social Security number, address, date and place of birth, residency, educational, and employment history, personal foreign travel history, information about immediate family as well as business and personal acquaintances” may have been included in the breach. The notice speaks of other information used in background investigations, though doesn’t name them directly. That information would be interactions with law enforcement, recreational drug use, and possibly fingerprints. Ouch.
The next notification I received was for an earlier intrusion, the 2013 compromise of 2.4 million student records from the local community college system I attend. I continue to take classes after university because, well, I like school, and unfortunately the compromise didn’t surprise me. Smaller colleges are strapped for security cash, and frankly, college networks are sometimes soft targets. The final notification wasn’t a “mass data breach” per se, though it was a light-hearted cap to an eye-opening week.
Some people watch others play games on television (sports), or watch others stream their video game adventures on the net. I watch people play wargames. The wargaming site I patronize had its forums compromised and the notification on the site described the, granted, low-level information compromised, though further compromise through password reuse was discussed. Thankfully, this had no significant security impact for me.
Three breach notices in one week could have been an upsetting event. Thankfully, we understand how the breaches may have occurred and how to protect ourselves, which I will share with you now.
At a overview level, many large data breaches occur through an attack called spear phishing. Spear phishing is an advanced social engineering technique where a person at an organization, the mark, is targeted with trojaned messages or files that include accurate, if not personal, information regarding the target org. The realistic message or file is viewed or run, the trojan installed, and the attacker gains a foothold in the organization’s network.
Some large and other smaller breaches occur through SQL injection. This is where attackers find an internet-facing application with a coding vulnerability which allows the attacker to run arbitrary SQL commands, gaining credentials for deeper compromise, direct control of systems, or the entire data set of the target application.
If you’re a site owner, put a web application firewall in place as soon as possible to stem breaches on your site. A malware scanner and, given a sensitive enough target, a source code analysis tool are also recommended to find malware on your site and review your site code for possible vulnerabilities.
For end users and consumers, protection against data breaches is difficult as we all now trust others to be good stewards of our personal details. A good strategy to reduce the risk of a breach three-fold. First, limit and control the information you share as best as possible. For instance, you do not have to provide your Social Security number to receive medical services. And you definitely don’t have to provide sensitive information for your favorite gaming forum profile.
Next, use robust authentication practices. Use strong, non-dictionary passwords for sites and services, use a password manager to store them, and never reuse passwords across sites. Also, turn on two-factor authentication wherever you can. TwoFactorAuth.org can help you find the services you use which support it, and SiteLock provides two-factor authentication services for websites with the Enterprise-level TrueShield web application firewall.
Finally, regularly review your credit reports at AnnualCreditReport.com. Some advise to spread out reviews of the three credit reports throughout the year to keep a year-round eye on your credit history. Others recommend grabbing them all at once each year for convenience sake. Whatever strategy you choose, make sure to review your reports and dispute any inaccuracies.
Bonus Tip: If you’re a victim of a breach, many organizations provide a year or more of credit monitoring. Unfortunately such monitoring only notifies you after a change in your credit file occurs, meaning a possible instance of identity theft may have already occurred. A better option may be to place a security freeze your credit file with the respective credit reporting agencies. Please refer to the Equifax, Experian, and TransUnion credit freeze sites for details.
Follow the SiteLock blog for more information on protecting yourself from security breaches.