Firms Still Failing Security Basics, Warns ICO

Firms Still Failing Security Basics, Warns ICO
Firms Still Failing Security Basics, Warns ICO
Data protection watchdog the Information Commissioner’s Office (ICO) has warned that many organizations are still haemorrhaging data because they’ve failed to address basic security weaknesses including SQL injection vulnerabilities and unsalted passwords.
In its latest report, the ICO identified eight “important areas of computer security” that firms frequently overlook, which include failing to install software updates and storing personal data in “widely-accessible locations”.
Also criticized by the commissioner were the use of default passwords for things like wireless routers, content management systems and databases.
When it comes to SQL injection flaws, the ICO recommended organizations invest in independent testing of apps before they go live and periodically thereafter.
The watchdog also suggested that all passwords should be hashed and salted “to make brute force attacks less effective”, and that organizations have a plan of action in case of a password breach.
The report also advised firms to use SSL or TLS for all data transfer, to secure data in motion, remembering to ensure that any services use a valid certificate.
It also urged organizations to simplify their IT systems and reduce their risk exposure by thoroughly decommissioning any software or services that are no longer needed.
In addition, the ICO suggested using “periodic port-scanning to check for unnecessary services which have been inadvertently enabled”.
Charles Sweeney, CEO of web filtering firm Bloxx, argued that throwing money at the problem isn’t the solution. He added that in spite of themselves, many firms have ended up with poorly integrated IT systems comprised of multiple point solutions.
“This creates blind spots that make it exceptionally difficult to identify, monitor and manage vulnerabilities across the enterprise,” he said via email. 
“It's the reason that old COBOL applications from twenty years ago can still be exploited by hackers today as a way of gaining access to the corporate infrastructure and why lost laptops 'secured' with weak passwords still strike the fear of God into any IT director when they get left on trains.”
Jane Man, project manager at Rapid7, cautioned that keeping software up-to-date is often easier said than done.
“Software vulnerabilities across an organisation’s complex IT environment can reach hundreds of thousands, while new vulnerabilities are discovered and new patches are released every day,” she added.

 “It can also be challenging for security professionals to get broad organizational buy-in for a consistent patching process, particularly for business critical systems, and it’s important to remember that often it’s a different team or employee that would be responsible for patching.”


What’s Hot on Infosecurity Magazine?