A crash course in data compromise

Here’s 10 ways to guarantee the bad guys breach your business’ information security or that of your customers

By J. Andrew Valentine

Reading the news, it seems like every organisation is getting hacked and losing all kinds of sensitive information – credit and debit card accounts, social security numbers, even medical histories.

Some IT managers whose businesses have so far avoided such breaches must feel like they’re missing out on all the excitement. Why else would they not have taken basic steps to secure their data? It’s for that hardy breed that seems to crave the drama of upset customers and lost business that we’ve prepared these 10 tips to help make sure your business suffers a data compromise, sooner or later (but hopefully sooner, right)?

10. Don’t bother to create a data retention policy.

Too busy to define policies around the management of sensitive data within your organisation? Don’t bother creating them. Better yet, don’t even acknowledge that your business handles sensitive information at all. 

For many businesses, a well organised data retention policy provides specific guidelines and procedures for the management of sensitive data. In most cases, this policy is constructed not as a redundant review of other existing policy points, but rather as an overarching management tool that dictates a business’ data retention posture.

Based on both regulatory policy and specific business requirements, different types of data might require different lengths of retention, as well as varying storage methods. Consequently, this ‘across the board’ data retention policy would dictate how long various types of information would be maintained within your information systems, describe the procedures for archiving that information and provide appropriate methods for destroying that information once the retention period has been met.

But your business wouldn’t need anything like that, now, would it?

9. Store sensitive data unprotected - especially credit card numbers.

Your information systems are working perfectly. So what if you’re storing sensitive credit and debit card account information? No one is ever going to try to compromise you. The bad guys only go after the bigger fish. In fact, if you never go to the trouble of inventorying the types of data you’re storing, no one else will either, right? Besides, there’s really no need to go messing with information systems that are working so well. To go in and remove sensitive data, well, that would just take up way too much time. Encrypting sensitive data. Heck that would take even more effort.      

The fact is most businesses that suffer data compromise don’t even know they’re storing sensitive information in the first place. When it happens to you, you’re going to need to be able to plead ignorance as well.  

8. Don’t worry about standard protective measures like anti-virus and firewalls.

Why should you bother with an anti-virus solution on your Windows-based point of sale systems? It’s all a big conspiracy anyway, right? Don’t bother. Anti-virus solutions cost way too much money. And even with the free anti-virus programs, it’s still such a pain to constantly update those virus definitions. Besides, no one would ever install a remote access Trojan horse program on any of your systems. Of course not.  

Same thing with network firewalls. Keep telling yourself they’re just a waste of time and money. Why should you bother spending all that energy fine tuning your firewall to keep intruders out of your network? The bad guys have better targets to try to exploit. As long as you keep a low profile, no one will ever notice your network is totally unprotected from the outside.  

7. Use business machines to surf the web, download free games, and hang out on MySpace.

Just because that computer is plugged into your business’ network doesn’t mean you shouldn’t have some fun with it. In fact, go ahead and download every interesting little program you come across. See a free game that looks fun? Go ahead and install it. No big deal.

All those random attachments strangers send you via email. Go ahead and open those too. While you’re at it, feel free to surf your MySpace page and install any number of software utilities and plug-ins. Even better, go ahead and surf web pages with adult material right there on your business computer. Sure, you may unwillingly visit ‘drive-by’ web pages that install various types of malware on your system, but it’s so worth it.    

6. Make sure to leave default vendor settings.

Your point of sale vendors know what they’re doing. There is absolutely no reason at all to insist that they change default settings on any hardware or software implementations they bring into your business environment. It’s not like they’ve used those exact default settings for every one of their other clients all across the world.

The notion that a vendor would use the same authentication credentials to access different point of sale systems belonging to different businesses. Well, that’s just ludicrous. Even more to the point, a point of sale vendor would never leave remote access tools on your systems unprotected by username and password. Of course they wouldn’t.

So go ahead, leave all of your default authentication and remote access settings. You’ll be fine. Just don’t be surprised when a bad guy changes your default settings for you.

5. Have a totally unprotected wireless network, and connect it to your point of sale systems.

Having a wireless network inside your business is just so helpful. With your wireless devices you can manage inventory, monitor orders and transactions, and provide Wi-Fi connectivity to your customers for free. But really, implementing wireless security controls like WPA encryption, MAC address filtering or disabling SSID broadcast just takes so much work. Since your wireless network works so well right out of the box, there’s no reason to change anything now, is there?

And since you’re such a unique risk taker, you should probably go ahead and connect your point of sale server directly into the wireless router you use to provide Wi-Fi access to your customers. Seriously, segmenting the store wireless away from the point of sale system would just take too much time and money anyways. It’s not like anyone would ever try to access your systems without authorisation, right?       

4. Remember, unique authentication mechanisms are pointless. They take too much time.

Have you got a whole bunch of people who work at your company who need to access information systems? It makes things a lot easier if you give each of them the same username and password as access credentials. For the best results, make it something really easy, so no one forgets. That way, no one has the bothersome task of managing user accounts.

Better yet, if you want to make things really easy, just forego using authentication mechanisms at all. You can shave seconds off the time it takes for your employees to access your information systems. Over the course of the fiscal year, all those seconds will add up to minutes you’ll save.

With all that time saved, your business’ productivity will go through the roof. And since you don’t have to pay an employee to be responsible for user-access management, there’s even more profit you can shove in your pocket. And just remember a hacker would never figure out that he doesn’t need authentication credentials to access your systems.

3. Install remote access tools you don’t need and never use.

You may not realise it, but your systems probably already have legitimate remote access tools (like PcAnywhere or VNC) installed. These are legitimate tools that facilitate remote administration and maintenance, usually by the vendors who sell and manage your systems. Thing is, some remote access tools remain on your systems far beyond their use. The vendors who install them often fail to remove them after their full lifecycle in the business process.  

But even if you have remote access tools installed within your environment, don’t worry. It’s not as though the majority of scenarios involving network breach and data compromise on merchant and small business networks are facilitated through the exploitation of legitimate remote access tools. That’d never happen. An intruder using a known remote access tool such as VNC or PcAnywhere – likely with poor authentication controls - to access a system without authorisation.  That’s unheard of, right?

2. Don’t worry about updating software and applications; it takes too much time and energy.

Software updates. What a waste of time. Your systems are working fine as is. There’s no need to install and maintain software and application updates. Who cares if your software vendor no longer supports the payment application you’re using? So what if they’re saying your systems are vulnerable to remote exploit. They’re probably just trying to squeeze more money out of you with these new ‘security features’ like encryption and access control.

It’s really not that imperative for you to check your software vendors' web sites for new security patches or to use automated patching features that some software applications offer. Additionally, staying informed about new and emerging security vulnerabilities isn’t really a big deal.

The exploit code capable of attacking your antiquated systems infrastructure - the code that’s readily available on the Internet - none of that is real. None of it actually works when the bad guys try to use it. Seriously, don’t bother spending the time and money it takes to update software and applications within your organisation. It’s not worth it. 

1. Keep telling yourself “The bad guys are never going to come after me”.

Lastly, don’t forget, malicious hackers would never come after a business like yours. You’re way off the radar for them. You can go ahead and retain all the sensitive information you please. You can continue maintaining your lax security measures, or even have none at all. Because, in the end, the bad guys just aren’t interested in you. They’re interested in the other guy. Always remember, yours is the last business these guys would ever try to exploit.

So all you excitement seekers: follow these tips, and you’ll suffer data compromise in no time. If you find that you already practice most of the tips detailed in this article, chances are you’ve already been compromised. You just don’t realise it yet.

J. Andrew Valentine is a security consultant within Verizon Business Security Solutions’ Investigative Response Unit. As an investigator within the Forensics and Incident Response team, Valentine has led many high profile criminal forensic investigations within the United States as well as internationally.