The RNC Data Breach: Neglecting Web Security Best Practices
In a recent security report, researchers revealed an unsecured archive of US voter data collected by Deep Root Analytics, a data firm connected to the Republican National Convention (RNC). The exposed data — which included full names, addresses, and phone numbers of 198 million registered voters — was uncovered by a security researcher in an internet-accessible database with no password protection or any other security measures. The database has been secured at the time of this writing, but it remains unclear how long this data was exposed to the internet.
It may be easy to assume exposures of this nature are an inevitability. After all, a data analytics firm associated with a major political party sounds like a clear target for bad actors. However, the data was discovered by a researcher performing unrelated searches through Amazon’s S3 infrastructure for any unprotected data, not targeted attacks against Deep Root Analytics or even voter data in particular. This fact underscores a critical necessity of the Internet: prioritize the security of your data at all stages of its life cycle. Your data needs to be secure where it’s stored, during network transit, and when it’s in the hands of third parties. This data leak in particular was the result of the RNC failing to properly ensure the security of their data in the hands of a third party contractor.
In this era of automated site crawlers and widely published application vulnerabilities, it’s important to remember that any website on the internet is a viable target for attackers. Ensuring proper security practices should be a vital step in the development of any website or application, no matter the size. If you must share data with third party contractors, confirm that their practices meet or exceed your security standard. If you’re working exclusively within your own organization, it’s still important to cover your bases during the development process.
Web Security Best Practices
Here’s a few things to keep in mind:
- Password-protect any data you don’t want the public to access.
- If you’re using a third party application, like WordPress or Magento, it’s important to keep these applications up to date at all times. Outdated web applications commonly include widely-known vulnerabilities that can be used to launch attacks on your site.
- If your site is custom-coded, ensure that you (or your developers) are implementing adequate input filtering to prevent common attacks, like SQL Injection and Cross-Site Scripting.
- Make sure your employees are prepared for “human attacks,” like phishing and social engineering.
Outside the scope of your company’s internal security policies, additional security measures are a great added line of defense. A large portion of website compromises are delivered by malicious bots, many of which can be turned away by web application firewalls. Additionally, malware detection by SiteLock® SMART™ is an invaluable way to identify cases when breaches do take place, allowing your team to take defensive action much more quickly than you could with only manual detection. Unfortunately in many cases, website owners are unaware they’ve been hacked until their site is defaced, suspended, or blacklisted.
Regardless of the size of your organization, keeping a proactive security protocol in place is essential to your ongoing success. Don’t do the bad guys any favors by leaving the door unlocked, no matter how unlikely you think it is that they’ll find it.