Hackers recently compromised the Gawker Media servers and leaked some 1.4 million user passwords and other confidential information. In a Dec. 17 memo, Gawker Media’s chief technology officer Thomas Plunkett explained how the data breach happened.
“In recent weeks, intruders were able to gain access to our web servers by exploiting a vulnerability in our source code, allowing them to gain access to user data and passwords. With this information, they were able to gain access to the editor wiki, some Gawker Media email accounts, and other external resources. It is clear that the Gawker tech team did not adequately secure our platform from an attack of this nature. We were also not prepared to respond when it was necessary.”
Plunkett said that the company had subsequently “addressed all known vulnerabilities and will continue auditing our systems for security flaws”.
Seth Hanford, operations team lead at Cisco’s IntelliShield, said there were a lot more failures by the Gawker Media team than the ones identified in the memo. These include poor security situational awareness, ineffective incident response, poor password policy for internal users, insufficient patch management, poor handling procedures for sensitive information, limited defense-in-depth protections, and antiquated encryption.
Hanford advised website owners, particular those that publish controversial material, to balance the costs of rigorous information security with the risks of data breaches.
“For the defender, security is never 100% attainable, because at some point the economics of the risk equation will show that it costs more to defend an asset than it does to bear the cost of losing it. If this unbalanced approach were taken, the defender would lose simply by spending through the value of the asset. Likewise, the attacker knows that the defender’s protections are not impenetrable….With every success by an attacker, they have an opportunity to expose a resource whose risk equation may have factored in the protection provided by the asset that the attacker has compromised”, he wrote in a Cisco Security blog.
Mary Landesman, chief security researcher with Cisco, offered a number of steps companies could take to protect confidential information more effectively, including stronger encryption of all data, not just passwords, and user education, instructing users on how to develop stronger passwords and the security dangers of using the same user name and password across sites.
She told Infosecurity that one solution to stop the recent onslaught of data breaches might be legislation requiring companies to adopt stronger information security standards. However, legislation in just one country might not address the data breach problem effectively, since the Internet is an international resource.
“Maybe consumers will get fed up with all the data breaches and ‘legislate’ security by not visiting sites that do not have strong security standards and technology in place”, she added.