Your organization likely realizes the unfettered access that traditional IT privileged accounts provide and has taken proactive steps to lock down access to these accounts. But what about critical business systems that offer the ability to cause reputational damage or that provide access to monetizable data, such as protected health information (PHI), credit card numbers, and social security numbers?
These systems provide access to a plethora highly sensitive and valuable information, making them valuable targets for attackers. And yet, the accounts that access them are rarely treated with the same levels of protection as traditional privileged accounts.
In part one, we looked at three critical business systems that are often overlooked from a security perspective. Today, we’ll look at three more business systems, and how they could be putting your organization at risk for a breach.
4) Social Media
Another security area that is often overlooked are company social media accounts, such as Twitter, LinkedIn, and Facebook. Leaving these accounts vulnerable puts your company at risk of major embarrassment and brand damage.
Unfortunately, social media accounts are rarely treated with the same care as other corporate assets. Often, they are protected with just a username and password, or access is shared among multiple people. Furthermore, these accounts are often assigned to interns or entry-level marketing personnel to manage, increasing the risk of human error.
As a result, there is a high risk that a hacker can gain access to or figure out an account password and begin posting things that could damage a company’s or individual’s reputation.
One hacking group in particular, OurMine, has gained a reputation for taking over social media accounts by using information obtained in other public data breaches. Recent hacks by OurMine include HBO, Sony PlayStation, and Facebook CEO Mark Zuckerberg.
In the case of Sony PlayStation, OurMine was able to take over the company’s Twitter and Facebook accounts, tweeting “PlayStation Network Databases leaked #OurMine" to the company’s millions of followers. They claimed to have also breached a confidential database, although they didn’t publish any of the information.
While OurMine’s primary purpose in taking over accounts is to sell its IT security service, there is little security in place to stop more malicious groups from hacking accounts and posting damaging information or extorting individuals or companies.
5) Websites and Customer Portals
Websites and customer portals are designed for the convenience of the visitor and customer, with security often being an afterthought. The reality is, if the security controls are too burdensome, customers will simply go to competitors’ sites.
Unfortunately, websites and portals can be vulnerable to easily hacked sign-ins and outdated patches.
Earlier this year, attackers exploited an unpatched vulnerability in Apache Struts’ web application to steal the personal and financial data held by Equifax on 143 million individuals. The patch was available two months before the hack, but the IT team failed to deploy it.
In the case of Verizon Enterprise Solutions, hackers uncovered and exploited security vulnerabilities in its enterprise client portal. As a result, the attacker stole records of more than 1.5 million Verizon enterprise customers.
6) Collaboration and Project Software
Project software, like Slack or Hipchat, is designed to foster open sharing of ideas and collaboration. However, it can be a challenge to secure these platforms without being perceived as inhibiting users.
This software suffers from similar vulnerabilities as websites and portals—easily hacked sign-ins and outdated patches. This can be a big problem for higher education institutions, in particular, where a premium is placed on collaboration and security controls often go against the institutional culture.
Companies, such as Wickr, are trying to make collaboration software more secure by encrypting messages sent on its platform. Whether users will buy into the need for additional steps with encryption remains to be seen.
Taking Steps to Protect Your Organization
And there you have it, six critical business systems that could be putting your organization at risk. Has your organization taken the proper steps to lock down access to these systems?
To learn more about how to protect these systems and why your organization should treat every account as privileged, download our ebook, Why Your Organization Should Treat Every Account as Privileged.