ICO Outlines Top Cybersecurity MisstepsNew Report Highlights Risks, Mitigation Strategies in UK
The UK Information Commissioner's Office says its breach investigations show that neglecting to keep software security up to date and failing to encrypt online communications are among the top cybersecurity vulnerabilities of government and private-sector organizations.
A new ICO report, "Protecting Personal Data in Online Services: Learning from the Mistakes of Others," highlights eight of the most common IT security vulnerabilities among organizations that have had sensitive information compromised.
"The report ... aims to provide those of you who are not dealing with these problems on a daily basis with an introduction to the key IT security problems that lie behind many of the current, and all too common, data breaches investigated by our office," says Simon Rice, group manager for the ICO's technology team, in a May 12 blog. "In all of these cases, the breaches that occurred could have been prevented, or the consequences greatly reduced, if the organizations had addressed the issues raised in our report."
The top eight computer security vulnerabilities covered in the report include:
- Failure to keep software security up to date;
- Lack of protection from SQL injection;
- Use of unnecessary services;
- Poor decommissioning of old software and services;
- Insecure storage of passwords;
- Failure to encrypt online communications;
- Poorly designed networks processing data in inappropriate areas; and
- Continued use of default credentials, including passwords.
The report offers insights into the issues that could arise from the eight vulnerabilities and provides best practices for avoiding potential IT security incidents. For instance, it points out that default credentials are often provided for services such as firewalls, content management systems or administration accounts for a database. So if an attacker has some indication as what systems or services an organization uses, the attacker will first consider whether a default password is still being used.
"You should change any default passwords as soon as possible, normally before development or testing begins, and certainly before the relevant software component is put into production," the report says. "Failure to do means that any personal data processed using that system or service could be at risk from unauthorized access."
Rice says that while most of the issues covered in the report should be common knowledge to many IT security professionals, "the fact that the same IT security problems continue to crop up in the breaches we investigate suggests that not everyone is as familiar with them as they should be," he says. "Data protection officers and senior managers have an important role in making sure these improvements are made."
The IT security flaws named in the report were identified during the ICO's investigations into data breach incidents, many of which have resulted in civil monetary penalties against the compromised entities.
In one incident, the ICO fined Sony Computer Entertainment Europe Â£250,000 after the company failed to keep its software up to date, leading to the details of millions of customers being compromised during a targeted attack.
The ICO fined the British Pregnancy Advice Service Â£200,000 after a hacker gained access to personal details for about 10,000 of its clients. The charity provides reproductive support services for women. An ICO investigation found that the charity didn't realize its website was storing names, addresses, dates of birth and telephone numbers of people who asked for a call back for advice on pregnancy issues.
A penalty of Â£100,000 was recently issued against the Kent Police in England for leaving behind confidential information, including copies of police interview tapes, in the basement of their former police station (see: ICO Fines Kent Police Â£100,000).