by Ian Heritage
The cybercrime economy has an insatiable appetite. It’s a beast that generates an estimated $1.5 trillion each year, feeding in part off stolen data grabbed in large-scale breaches. Over the past few years both organisations and consumers have arguably become desensitised to these, although with the advent of the GDPR there’s a major new incentive for boards to take security seriously. The latest incidents at CafePress and StockX serve as a depressing reminder that firms are still getting things wrong.
If you are an IT/security leader and need a refresher in current best practices for data security and incident response, Trend Micro’s CLOUDSEC conference next month could offer a great opportunity.
Focus on response
No organisation can expect to be 100% secure today. The odds are stacked too heavily in favour of the attacker. But they can be quick to react to a possible intrusion, blocking and kicking out the hackers before they’ve had a chance to impact the business. Yet both CafePress and StockX have come under criticism for their handling of the respective breaches.
In the case of online merchandise store CafePress, the breach of an estimated 23 million customers was first reported on breach notification site HaveIBeenPwned? in August, despitethe incident occurring back in February. It’s unclear how attackers broke into to the firm’s customer database, but it has been revealed that around half the passwords in the trove were protected by the weak SHA-1 algorithm. The firm’s sluggish approach to notifying its customers, coupled with its storage of passwords in a potentially crackable format, may have put them at extra risk.
In the case of StockX, a database of over 6.8 million user accounts is reportedly already being sold and distributed online. Username and password combinations are fetching as little as $2 and a dark web user has apparently already decrypted the MD5-hashed passwords. It’s fairly certain that these credentials, like those of the CafePress breach, will be used in automated credential stuffing attacks designed to crack open accounts with the same log-ins.
Lessons from the experts
While it’s certainly the responsibility of users to manage their passwords securely, via a password manager and/or 2FA, there are clearly things the firms in question could have done better to reduce the impact of the breaches. Under GDPR rules, notification must happen within 72-hours, for example. Regulators would also take a dim view of firms using weak encryption to protect key data.
Best practice security evolves over time, so it always pays for CISOs to stay abreast of the current recommended advice. That’s where conferences like CLOUDSEC can come in handy, by offering an opportunity to hear from security leaders, industry practitioners and global experts. This year’s event features keynotes from CISOs at Thomson Reuters, Oxford University and Swedish giant Stena alongside Trend Micro experts, a former White House CIO and the UN’s Cybercrime and Cryptocurrency Advisor.
Throughout there’ll be a focus on real-life examples and case studies, to inform and educate attendees about the latest developments in the threat landscape, and how their peers have been able to successfully mitigate cyber risk.
Make sure you book your place at this year’s event today!
What: CLOUDSEC 2019
When: 13 September 2019
Where: Old Billingsgate Market, London