Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
7 Common Reasons Companies Get Hacked
Newest First  |  Oldest First  |  Threaded View
VesnaE29
50%
50%
VesnaE29,
User Rank: Apprentice
1/28/2017 | 10:10:34 PM
Reasons why companies get hacked
Here is an admission of guilt - I used to hack when i was in my 20s and when I thought it was fun slipping trojans into peoples emails, running port scans and checking for open telnet ports.  It was kind of, well, fun and exhilareting to do something others didn't know how to do.  What that makes you realise is that people are well, lazy when it comes to securing their data.  People fail to realise what their data is worth to someone else, period.  And to be honest here, social engineering never, ever seems to fail.  You can have 10 firewalls sitting around your data and have a DMZ inside the DMZ, but all it takes is for a person to off handedly mention an IP address you can use, or a password for a device that allows you to get onto another advice and then get to that dbase that holds the information you want to access.  The way I see it, educating people is the ONLY way to go.  Teach people how to write good codes. Teach them how to recognise corrupt codes. Teach them to keep their egos in check and not just broadcast information about secure data to others, because that exposes them to social engineering risks.  Education and more education is the key.  I don't think it will ever stop hacking and cyber attacks because there are a lot of curious people out there, but at least it will minimise the damage when data security breaches and thefts occur.   
Redhat62!
0%
100%
Redhat62!,
User Rank: Apprentice
1/27/2017 | 12:45:19 PM
Password? Really?
What evidence exists that default non-unique, or weak passwords are a common reason?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/26/2017 | 11:23:04 AM
Re: Company Hack
@kbannan: Interesting point, considering that German and Russian government entities have reportedly gone back to typewriters in some instances to increase data security on particularly sensitive matters.

What this comes down to is M&M security (hard on the outside, soft in the middle) vs. holistic security throughout.  The locks on my office door are probably easy to bypass for someone wilful enough.  But the lock on my office safe presents a new and harder challenge.  If I don't have that safe or don't use that safe, however, then a bad guy just needs to get past my office door.

The same principle applies equally among both physical security and cyber security, of course.
Navrit
50%
50%
Navrit,
User Rank: Apprentice
1/25/2017 | 6:02:08 AM
Re: Missing #8: Being a target
This article is d 'Une grande importance Parce Que pour moi la sécurité de nos Données is a première et essentielle commentaire réussir in the sauvegarde de nos informations et d' eviter tout tracas et perte de Données.  
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/24/2017 | 8:30:40 AM
Missing #8: Being a target
While these are great examples of *how* a company can get hacked, one of the biggest *whys* in my experience -- and perhaps a more powerful "security" flaw than any of those listed here -- is being a big target in the first place.

Consider Sony, which sued a 13-year-old hacker for modifying his PlayStation.  In the wake of the PR disaster that followed, the company and its PlayStation Network suffered countless mega-hacks.  In choosing to listen to the legal department without properly taking into account any counterbalancing viewpoints erring on the side of risk management, Sony may as well have painted a big red target on its back and announced to the world, "Open for hacking!"

Less notoriously, consider the University of Virginia hack a couple years ago that was traced back to Chinese operatives.  The only information, apparently, that the hackers wanted was in relation to two particular employees.  Employing these two high-interest individuals was enough to bring U-Va. within the crosshairs of nation-state hackers.

Flaws are flaws.  Everybody has security flaws.  But there is something to the idea of security by obscurity.
kbannan100
50%
50%
kbannan100,
User Rank: Moderator
1/23/2017 | 11:45:00 PM
Re: Company Hack
Agree! And when people do something silly like not changing passwords, leaving ports open or not setting expectations of users the problem is only compounded. There was a recent Ponemon study, for instance, that found 62 percent of respondents were pessimistic about their ability to prevent the loss of data contained in printer mass storage and/or printed hard copy documents. They gave reasons for their feelings. You can read the rest of the blog here. It's a bitly: /2cFfLM2

--Karen Bannan for IDG and HP
kevinmn
50%
50%
kevinmn,
User Rank: Apprentice
1/18/2017 | 8:58:57 PM
Company Hack
well! in my point of view, there are many reasons that a company may be hacked. It's a long war between companies and hackers. When you look at why people are still getting hacked or breached, I think a big contributor to that is either not knowing if you were patched or if you were patched and you were secure at one point, but something happened in operations that caused you not to be patched again


Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18954
PUBLISHED: 2019-11-14
Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious at...
CVE-2019-3640
PUBLISHED: 2019-11-14
Unprotected Transport of Credentials in ePO extension in McAfee Data Loss Prevention 11.x prior to 11.4.0 allows remote attackers with access to the network to collect login details to the LDAP server via the ePO extension not using a secure connection when testing LDAP connectivity.
CVE-2019-3661
PUBLISHED: 2019-11-14
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads.
CVE-2019-3662
PUBLISHED: 2019-11-14
Path Traversal: '/absolute/pathname/here' vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to gain unintended access to files on the system via carefully constructed HTTP requests.
CVE-2019-3663
PUBLISHED: 2019-11-14
Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system.