So you just found out that your details have been breached, you’re hurt and furious.
“How could this happen?”
“Were they being cheap? Do they not care about me and my data?”
The reality is that computers and the systems we rely on are extremely complex and fragile, and the world economy has come to rely on these systems across all industries.
Some of the latest breaches
Now if you have not been living under a rock, you should be familiar with the following breaches from this year:
- Telstra October 2022 (Details of 30,000 Telstra staff leaked online in third-party data breach)
- Optus September 2022 (Optus attack exposes customer information)
- Uber — September 2022 (Uber confesses it covered up a huge data breach)
- Perth Festival July 2022 (Perth Festival, Black Swan Theatre and other arts organisations hit by major data breach)
If we consider the cause of these data breaches, it’s usually not some super complex 0-day with 50000 lines of code. Often enough it’s a mid twenties someone playing around with Shodan and Nuclei templates.
In most cases, it is human error that causes these breaches, such as a forgotten legacy service that is no longer being maintained or monitored. Oftentimes people are the weakest links in security, whether that comes down to the individual being compromised or lack of organisational policy.
Securing the problem with simple solutions
Now how do we solve the problem? Lets keep it simple
- Ensure your technical team is keeping a record of all the services and legacy services that are being used, monitoring these systems and continually testing against such systems.
- Using a strong password policy not allowing for weak passwords like “password2021”, “company2022” or “oscar1!”
- Providing team support to ensure team members are keeping up to date with their security, regular password updates, and phishing exercises.
- Regular audits from both your internal team or external team focusing on securing the perimeter. Meaning checking every nook and cranny, removing any old domains, lingering APIs, or legacy s3 buckets lying around.
- WAF and network firewall protection. if firewall exceptions are temporarily added, ensure they’re changed back appropriately.
- For medium to large companies, investment from upper management despite whatever level of maturity your organisation is key.
As security professionals sometimes we stress the importance of solving super complex hard to fix security issues to our clients, when we should be focusing more so on the simple.
To our clients your company’s security is not just a one and done Jira ticket, it’s an ongoing battle requiring investment from the bottom up all the way to upper management. However, starting with what’s simple in security will give you and your organisation a fighting chance.