Attacks/Breaches

1/18/2017
01:45 PM
Kelly Sheridan
Kelly Sheridan
Slideshows
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

7 Common Reasons Companies Get Hacked

Many breaches stem from the same root causes. What are the most common security problems leaving companies vulnerable?
Previous
1 of 8
Next

(Image: Wk1003mike via Shutterstock)

(Image: Wk1003mike via Shutterstock)

Businesses suffering from security breaches span all sizes and industries, but they often make the same mistakes. Many cyberattacks in 2016 could be attributed to similar root causes.

To be fair, security pros continue to face the same challenges, explains Diana Kelley, global executive security advisor at IBM. The most common causes behind major breaches can be grouped into two categories, she says: humans and hygiene.

The human factor relates to employees' behavior and how they interact with enterprise systems. Cyber hygiene refers to how businesses keep their systems patched and updated.

Each of these broader terms encompasses several bad practices, mistakes, and overlooked steps that contributed to security breaches in 2016. What were some of the most common reasons companies got hacked last year? Read on to find out.

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
VesnaE29
50%
50%
VesnaE29,
User Rank: Apprentice
1/28/2017 | 10:10:34 PM
Reasons why companies get hacked
Here is an admission of guilt - I used to hack when i was in my 20s and when I thought it was fun slipping trojans into peoples emails, running port scans and checking for open telnet ports.  It was kind of, well, fun and exhilareting to do something others didn't know how to do.  What that makes you realise is that people are well, lazy when it comes to securing their data.  People fail to realise what their data is worth to someone else, period.  And to be honest here, social engineering never, ever seems to fail.  You can have 10 firewalls sitting around your data and have a DMZ inside the DMZ, but all it takes is for a person to off handedly mention an IP address you can use, or a password for a device that allows you to get onto another advice and then get to that dbase that holds the information you want to access.  The way I see it, educating people is the ONLY way to go.  Teach people how to write good codes. Teach them how to recognise corrupt codes. Teach them to keep their egos in check and not just broadcast information about secure data to others, because that exposes them to social engineering risks.  Education and more education is the key.  I don't think it will ever stop hacking and cyber attacks because there are a lot of curious people out there, but at least it will minimise the damage when data security breaches and thefts occur.   
Redhat62!
0%
100%
Redhat62!,
User Rank: Apprentice
1/27/2017 | 12:45:19 PM
Password? Really?
What evidence exists that default non-unique, or weak passwords are a common reason?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/26/2017 | 11:23:04 AM
Re: Company Hack
@kbannan: Interesting point, considering that German and Russian government entities have reportedly gone back to typewriters in some instances to increase data security on particularly sensitive matters.

What this comes down to is M&M security (hard on the outside, soft in the middle) vs. holistic security throughout.  The locks on my office door are probably easy to bypass for someone wilful enough.  But the lock on my office safe presents a new and harder challenge.  If I don't have that safe or don't use that safe, however, then a bad guy just needs to get past my office door.

The same principle applies equally among both physical security and cyber security, of course.
Navrit
50%
50%
Navrit,
User Rank: Apprentice
1/25/2017 | 6:02:08 AM
Re: Missing #8: Being a target
This article is d 'Une grande importance Parce Que pour moi la sécurité de nos Données is a première et essentielle commentaire réussir in the sauvegarde de nos informations et d' eviter tout tracas et perte de Données.  
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/24/2017 | 8:30:40 AM
Missing #8: Being a target
While these are great examples of *how* a company can get hacked, one of the biggest *whys* in my experience -- and perhaps a more powerful "security" flaw than any of those listed here -- is being a big target in the first place.

Consider Sony, which sued a 13-year-old hacker for modifying his PlayStation.  In the wake of the PR disaster that followed, the company and its PlayStation Network suffered countless mega-hacks.  In choosing to listen to the legal department without properly taking into account any counterbalancing viewpoints erring on the side of risk management, Sony may as well have painted a big red target on its back and announced to the world, "Open for hacking!"

Less notoriously, consider the University of Virginia hack a couple years ago that was traced back to Chinese operatives.  The only information, apparently, that the hackers wanted was in relation to two particular employees.  Employing these two high-interest individuals was enough to bring U-Va. within the crosshairs of nation-state hackers.

Flaws are flaws.  Everybody has security flaws.  But there is something to the idea of security by obscurity.
kbannan100
50%
50%
kbannan100,
User Rank: Apprentice
1/23/2017 | 11:45:00 PM
Re: Company Hack
Agree! And when people do something silly like not changing passwords, leaving ports open or not setting expectations of users the problem is only compounded. There was a recent Ponemon study, for instance, that found 62 percent of respondents were pessimistic about their ability to prevent the loss of data contained in printer mass storage and/or printed hard copy documents. They gave reasons for their feelings. You can read the rest of the blog here. It's a bitly: /2cFfLM2

--Karen Bannan for IDG and HP
kevinmn
50%
50%
kevinmn,
User Rank: Apprentice
1/18/2017 | 8:58:57 PM
Company Hack
well! in my point of view, there are many reasons that a company may be hacked. It's a long war between companies and hackers. When you look at why people are still getting hacked or breached, I think a big contributor to that is either not knowing if you were patched or if you were patched and you were secure at one point, but something happened in operations that caused you not to be patched again
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11311
PUBLISHED: 2018-05-20
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
CVE-2018-11319
PUBLISHED: 2018-05-20
Syntastic (aka vim-syntastic) through 3.9.0 does not properly handle searches for configuration files (it searches the current directory up to potentially the root). This improper handling might be exploited for arbitrary code execution via a malicious gcc plugin, if an attacker has write access to ...
CVE-2018-11242
PUBLISHED: 2018-05-20
An issue was discovered in the MakeMyTrip application 7.2.4 for Android. The databases (locally stored) are not encrypted and have cleartext that might lead to sensitive information disclosure, as demonstrated by data/com.makemytrip/databases and data/com.makemytrip/Cache SQLite database files.
CVE-2018-11315
PUBLISHED: 2018-05-20
The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a ho...
CVE-2018-11239
PUBLISHED: 2018-05-19
An integer overflow in the _transfer function of a smart contract implementation for Hexagon (HXG), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets by providing a _to argument in conjunction with a large _value argument, as exploited in the wild in ...