The monetary penalty notice issued by the Information Commissioner’s Office identified 12 failings in Cathay Pacific’s security measures. I have extracted these as a simple list and suggest that all organisations check for similar issues:
- Database back-ups not encrypted.
- An internet-facing server was accessible due to a known and publicised vulnerability. Both the vulnerability and the fix had been public knowledge for around 10 years.
- The administrator console was publicly available on the internet.
- One system was hosted on an operating system that was no longer supported.
- There was no evidence of adequate server hardening (a process for removing unnecessary features to minimise attack points).
- Network users were permitted to authenticate past the VPN without multifactor authentication.
- Anti-virus protection was inadequate.
- Patch management was inadequate.
- Accounts were given inappropriate privileges.
- Penetration testing was inadequate.
- Retention periods were too long.
- There was a failure to manage security solutions which it did have in place or to adhere to its own policies.
Share this
