RealTime IT News

Monster Breach Shows Security Needs Rethinking

For some security experts, the recent data breach at job site Monster.com comes as no surprise, and they say enterprises need to reconsider their approach to security.

"When most organizations talk about security, they're talking about network security, which is five years out of date," Brian Contos, chief security strategist at database and Web application security vendor Imperva, told InternetNews.com. "Attackers are focusing on data, not the technology."

The breach was the latest sign that job sites are emerging as targets for hackers owing to the large amount of user data they collect. Monster had previously been breached in August, when attackers compromised more than a million users' records. And earlier this month, security vendor AppRiver warned that it had seen evidence of phishing taking place on the site.

While sites like Monster are finding themselves in hackers' cross hairs, other businesses can learn a great deal from their experiences, observers said.

For one thing, enterprises need to change their approach to security, Contos said. Hackers are moving away from exploiting vulnerabilities that can be blocked by a network firewall or that can be detected by an intrusion prevention system to attacking the data itself through social engineering, he said.

Most existing protection systems work by preventing access to enterprise infrastructure or databases. For example, one of the requirements of the PCI Data Security Standard is that merchants taking debit and credit cards install Web application firewalls in front of customer facing applications to keep hackers out.

That is not enough, Contos said. "You now need to look at how people are interacting with the data, how much data was downloaded over a period of time, what time of day they accessed the data, whether it's anomalistic," he explained. "You need prevention, detection and rapid response capabilities because ultimately you need to respond."

How Monster responds to the latest breach will also be educational for other industries. Whether Monster.com's parent company Monster Worldwide (NASDAQ: MNST) was aware that some accounts had been phished remains unknown, as Nikki Richardson, its senior vice president of corporate communications, declined to discuss that issue with InternetNews.com because the breach is under investigation.

But, as the latest breach shows, its security had not been up to scratch, even after its earlier hack. In that earlier breach, confidential information about 1.3 million users was stolen.

Lightning does strike twice

In the latest breach, attackers retrieved user IDs and passwords for the site. The hackers also obtained users' date of birth information, gender, ethnicity and, in some cases in the U.S. only, the state of residence, Richardson said.

While users' social security numbers and personal financial data were not available, because Monster.com does not take that data, the thieves have more than enough information to clearly identify anyone whose data was stolen.

Richardson declined to discuss details about the breach or confirm reports that about four and a half million users' data was stolen this time. "The matter is under investigation and we're working with the appropriate law enforcement agencies," she said.

She would not comment on whether USAJobs.gov, the federal government jobs Web site which relies on Monster.com for its database listings, was also hit by the hackers. In the previous breach in August, some USAJobs.gov users' data was also stolen.

Both Monster.com and USAJobs.gov put out a letter on their respective sites on Friday warning users about the breach and telling them to take precautions against being phished and to change their passwords.

The Office of Personnel Management, which administers USAJobs.gov, did not respond to requests for comment by press time.