Wellness portals store personal health information so it's important to know common vulnerabilities and what you can do to protect the data you store in your platform.
News reports of large data breaches are becoming a regular occurrence, such as the recent Anthem data breach where attackers gained access to databases containing the details of 80 million people.
How Do Data Breaches Commonly Occur?
There are several common types of vulnerabilities that can lead to system compromises and data breaches. Although there are many ways IT systems can be compromised and private information leaked, here are six of the most common ways they happen:
- Application vulnerabilities - where a bug or insecure code allows attackers remote access to application functions. This can lead to various levels of compromise. It may be impossible to determine the full level of access, therefore it is always best to work on a worst-case scenario (listed from bad to worst):
- Limited access (no access to user accounts / information)
- Basic access to user accounts information
- Application wide access – administrator or manager level
- Internal application code and server wide access
- Attacker has the ability to run custom code
- Possibility of gaining access to other servers from initial compromised system
- Configuration vulnerabilities – Often there are pressure and time constraints on bringing a service into operation. Promoting an application into a production state requires many technically complex steps, such as preparing the infrastructure, installing the software, configuring it, testing, etc. Each of these steps can have vulnerabilities. A security review may be neglected or put off for “later”. This can result in insecure defaults being present such as default accounts remaining active allowing attackers to gain access.
- Login Portal - Vulnerabilities may exist in the Login portal which would give direct access to users’ data. A common attack is to inject SQL commands into the username field to ‘trick’ the server into allowing the login attempt. Typically login portals accept input from the public Internet which allows for unexpected input values from attackers (which may be automated scripts). These unexpected input values may interfere with the servers’ processing, leading to a compromise. Other attacks exist as well, such as session replay attacks and attacks against SSL (https). Insecure code here can lead to full access to the site if the compromised user account is of an administrator level or if the vulnerability is severe enough to allow remote code execution.
- Insecure Servers – Servers are very complex, running many different applications and services, and typically are exposed to the Internet. Insecure network ports, weak passwords and vulnerable services are some of the vulnerabilities that can be present. Insecure ports mean unnecessary services are listening on the network that either use insecure protocols (for example, lack of encryption) or allow exploitation by default, or by being misconfigured. Even secure open ports can potentially be abused or provide information about the system to attackers.
- Unnecessary ports left listening on the network (default services not disabled or old services no longer used) may be forgotten about and present a security risk. Even if the server is behind a Firewall, other systems on the same network could easily access these insecure ports. A compromised system on the same network could scan the network and attempt brute force attacks against any insecure ports that it finds. This is one way attackers can gain further access to IT infrastructure. The Firewall’s protection may also inadvertently be turned off temporarily during maintenance or reconfiguration, leaving insecure ports vulnerable.
- Weak passwords, sometimes used temporarily for a test account, could be forgotten about and are easily cracked by attackers using brute force scripts. Software vulnerabilities are constantly being discovered, with 0-Day exploits (when attackers find a vulnerability before the developers do) becoming more common. These vulnerabilities can vary in severity from Denial of Service (DoS) to full compromise of the system.
- Network Vulnerabilities – Many network devices are remotely manageable and can be prone to the same security issues mentioned above. Often network devices are forgotten about as they play a transparent role in the organization. The network infrastructure as a whole must also be reviewed to ensure possible attack vectors are mitigated. For example, are there network ports available in publicly accessible areas where a stranger could gain access to the network? Also a thorough review of the wireless network is essential, especially if smartphones are allowed. For example, what access to internal systems do they have?
- Internal Compromises / Breaches – According to research by Ponemon Institute, over a third of infrastructure and data breaches are actually due to staff, either through accidental breaches of privacy / security or intentionally. Common occurrences include:
- Staff computer compromised allowing attackers inside the network:
- Web browsing vulnerabilities (especially plugins, such as Flash, Java)
- Third Party downloads (such as random Internet games, various non-professional utilities, downloaders, etc. and especially ads that trick user to downloading something)
- Phishing and malicious email attachments
- Running as administrator, which means a malicious program could run with admin rights and compromise the whole system instead of just the user’s profile
- Accidents - Accidently sending confidential emails to wrong recipients
- Loss - Lost laptops, USB memory devices, smartphones, etc.
- Passwords - Sharing passwords / giving password out to others, leaving passwords visible or not take steps to keep them and the account secure, it also makes it hard to trace back which logins are from attackers if multiple staff connect using the same account
- Passwords may be used on less secure devices (home PC, etc.) where they may be stolen to gain access to the organization.
- Phishing and email attachments are the most likely causes.
- Technical controls such as spam filters are unable to block all phishing emails, especially targeted phishing (also known as “spear phishing”).
- Staff computer compromised allowing attackers inside the network: