The Thanksgiving holiday is a great time to reflect on the things we are grateful for in IT security like data protection, fraud prevention, identity management and other preventative approaches. Here’s our look at the biggest stories of the week, where those approaches may have failed.  IT teams take note, don’t let these headlines ruin your turkey dinner:

From Russia, with No Love: According to reports from Wired and CNET, hackers from Russia were able to destroy a water pump at a utility in Illinois by hacking into their SCADA system.  This is a disturbing attack, as the hackers apparently breached the network of the company that made the SCADA system, stealing customer usernames and passwords. Worse—this appears to be very similar in scope and process to the recent RSA breach, and it also highlights to continued vulnerability of SCADA systems to these types of attacks (and the importance of controlling privileged access points and hardcoded passwords).

No Safe Space: Details are just beginning to form surrounding new of a Romanian hacker accused of hacking into NASA beginning on Dec. 12, 2010. Authorities claim that the hacker was able to obtain unauthorized access to protected data—an indication that abuse of privileges may have occurred. The hacker, who ended up destroying most of the data, was arrested and charged with multiple crimes.

No One Loves the IRS, Especially the GAO: In broader security news, the Government Accountability Office (GAO) has blasted the Internal Revenue Service (IRS) for failing to implement stronger security measures after numerous reports regarding organizational weakness in internal control over information security. The GAO takes particular exception to the IRS “deficiencies in its controls over access to the automated systems and software applications” and other weaknesses that “increase the risk of unauthorized individuals accessing, altering, or abusing proprietary IRS programs and electronic data and taxpayer information.” If the details are true, it’s quite evident that the IRS is not effectively and proactively managing privileged accounts and identities.

That’s our news for this week—let us know what we missed, and what you are, or aren’t thankful for in the realm of IT security!

This week we honored Christopher Columbus, someone who undoubtedly took a major risk and in the end, discovered something completely new. Thus it is appropriate that in this week’s IT Security Rewind we must report the passing of the visionary Dennis Ritchie, creator of the C programming language and co-developer of the Unix operating system. eWeek.com provided the following quote from Jeong Kim, president of Alcatel-Lucent Bell Labs, “Dennis was well loved by his colleagues at Alcatel-Lucent Bell Labs, and will be greatly missed. He was truly an inspiration to all of us, not just for his many accomplishments, but because of who he was as a friend, an inventor, and a humble and gracious man. We would like to express our deepest sympathies to the Ritchie family, and to all who have been touched in some way by Dennis.” To read more about Dennis’ accomplishments visit: http://www.eweek.com/c/a/Security/Dennis-Ritchie-Founder-of-Unix-C-Dies-at-70-215748/.

In other security news this week:

FTP may be dying but collaboration is not: eWeek’s Cameron Sturdevant (@csturdevant) took a look at the effect of the consumerization of IT on collaboration tools highlighting some major security vulnerabilities that have arose with the adoption of these free Saas tools.  With the proliferation of mobile devices Sturdevant emphasizes the importance of regulations in file sharing stating, “There are reasons to put boundaries on user collaboration, and licensed SaaS and on-premise tools are often best equipped to put these restrictions into practice. Blocking restricted data is among the chief reasons to curtail user file sharing. Helping well-meaning employees stay on the right side of the law when it comes to using regulated data is an important feature that is missing from nearly all the no-cost Internet services.” We completely agree and hope that Sturdevant will check out our secure file transfer solution to see how we successfully secure data in transit.

The real threat is still Inside: Despite constant media chatter around advanced persistent threats and external hackers, Dark Reading reported on a study that serves as a good reminder to organizations to look inside their organizations for threats within company walls. The study, conducted annually by Amplitude Research on behalf of VanDyke Software, found that a “of the many reasons cited for network intrusions, more than half could be attributed to internal issues: lack of adequate security policies (17 percent); employee negligence (12 percent); unauthorized access by current or future employees (11 percent); employee Web usage (6 percent); and lack of software updates (6 percent).”  Surprisingly, hacker/network attacks accounted for only 14 percent of intrusions; viruses, malware, and spyware were 10 percent.

PCI still a pain point for many: Okay we admit it, we love reports, especially when they support messages we’ve been sending for some time now. This report conducted by Verizon and covered by SC Magazine UK, found that “most businesses that accept credit or debit cards, or both, continue to struggle to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI-DSS).” In fact, of those assessed by Verizon, only 21 percent were found to be fully compliant. These results were almost identical to last year’s which proves that, as an industry, we need to do more to educate organizations and help them to understand how to achieve compliance not just for auditing purposes, but for the protection of their customers’ sensitive information.

It was a week of déjà vu and doppelgangers in the world of IT security, with another rogue financial trader scandal and doppelganger domains stealing data. Here is this week’s IT Security Rewind with all the gory details:

“I need a miracle” – This Facebook status update couldn’t be more appropriate for Kweku Adoboli, the 31-year old City trader at UBS suspected of carrying out Britain’s biggest banking fraud. This week has to feel like déjà vu for the financial industry, as Mr. Adoboli was arrested at his desk yesterday for allegedly losing £1.3 billion through his rogue trades. This case is eerily familiar to the case of Jérôme Kerviel, the Paris-based Société Générale worker who lost £4 billion in rogue trades back in 2008.What’s worse is that UBS only became aware of the unauthorized trading when Mr. Adoboli told them, the bank’s monitoring systems had not picked up the loss. Could this be another situation where privilege identity management could have signaled an early warning? Stay tuned…

“When it absolutely, positively has to be there overnight.” – This week our own Oded Valin shared his thoughts on move file transfers processes to the cloud with Infosecurity Magazine. Boiling his advice down to seven steps, Oded outlined how organizations can safely exchange sensitive files in the cloud while maintaining security and compliance requirements.

Big Data = Big Problems – Dark Reading’s Ericka Chickowski put the spotlight on data warehouses and emphasized that the quicker and easier it is to access these “big data” stores, the greater security risk there is to all of that sensitive information. We have to agree with Ericka on this one, when you put more eggs into the basket (i.e. instead of separate databases you consolidate many databases into a single “big data”) security needs to become a higher priority.

Doppelgangers Stealing Data! –Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months. Of the data collected in the e-mails, Wired reported, were configuration details and passwords for an IT consulting firm’s routers and virtual private network access information for a company that manages toll roads. They also collected a lot of personal information on employees, including credit card statements and bank account records.

Feel like you’ve finally got all the drama figured out? Let us know your thoughts in our comments section!

What could 43,000 Yale graduates, the Securities and Exchange Commission, the Maine voter registration system and RSA possibly have in common? Their data has all been tampered with. In this week’s IT security rewind we’ll reveal the email that took down RSA, review this week’s noteworthy data breaches and question the SEC’s involvement in data destruction associated with the  Berni Madoff case. What a week!

Dear RSA, “I forward this file to you for review. Please open and view it.” – It’s been a rough week for RSA, as researchers at F-Secure believe that this email carrying an infected Excel sheet may be the sole cause of the major phishing breach that tainted the company’s reputation. According to IDG, “The e-mail was sent on March 3 and uploaded to VirusTotal, a free service used to scan suspicious messages, on March 19, two days after RSA went public with the news that it had been hacked in one of the worst security breaches ever.”

Mainers and Yale Grads Beware! Since the beginning of the “IT Security Rewind,” we have yet to go a week without some sort of publicized data breach, and this week is no different. This Tuesday, Yale University notified about 43,000 faculty, staff, students and alumni that their names and Social Security numbers were publicly available via Google search for about 10 months. What’s interesting about this breach is that a File Transfer Protocol (FTP) server on which the data was stored became searchable via Google as the result of a change the search engine giant made last September.

The very next day, voters in the state of Maine were notified that a CVS-linked computer in one of the town offices was infected with data-stealing malware.

The Berni Saga won’t end – and this week data surrounding the case takes center stage as the Securities and Exchange Commission (SEC) has been accused of destroying thousands of data files on high profile inquiries including an early-stage investigation into Berni Madoff. Whether or not privileged access played a role in this possible tampering is unclear, however according to CSO Online, “Senator Chuck Grassley, the senior Republican on the Senate Judiciary committee, said the data that the SEC is alleged to have destroyed – between 1993 and 2010 – also concerned investigations into alleged insider trading at Deutsche Bank, SAC Capital and collapsed bank Lehman Brothers; as well as into corporate practices during Goldman Sachs’ trading of complex products with insurer AIG.”

Can you handle the security drama? Let us know your thoughts on this week’s events below…

Limitations of technologies that are supposed to be protecting against emerging security vulnerabilities, deeper examinations of mainstream breaches and more painful insider attacks—they’re all a part of the next installment of our IT Security Rewind Series. Let’s take a look, shall we?

• You Live, You Learn: Few attacks generated as much media coverage and buzz as the attack against RSA that occurred earlier this year. This video interview from ThreatPost with Uri Rivner of RSA breaks down the different aspects of the attack including the elevation of privileges that were used to the advantage of the hackers.  As Rivner explains, this breach directly exposes the limitations associated with a security strategy focused on perimeter protection, and not on the accessibility of the sensitive information and controls that can easily be manipulated from the inside of a system.

• DAMn—Is this technology working?: A feature from Ericka Chickowski of Dark Reading finds that financial institutions are still struggling with insider threats and other security vulnerabilities despite investments in database activity monitoring tools. While DAM technology plays a critical role in protecting against SQL injections and exploits in database protocols and commands, its inherent limitation in providing for privileged user monitoring may play a key role in its apparent ineffectiveness.

• Fast Food Diner on Network Crime: As IDG reported, a former IT worker at the U.S. subsidiary of Japanese drug-maker Shionogi, has pleaded guilty to effectively using his privileged access and controls to “create virtual chaos” by wiping out the VMWare host services that ran the company’s corporate email systems. Apparently, after laying off the employee, Jason Cornish,  Shionogi did a poor job of revoking passwords to the company’s network.  Using a Shionogi account, Cornish logged on from a public McDonald’s Internet connection to access a vSphere VMware management console that he’d secretly installed on the company’s network a few weeks earlier. He then proceeded to delete 88 company servers from the VMware host systems—further highlighting the need to control privileged users in both physical AND virtual environments.

That’s a wrap for this week—let us know what other stories you think should be added to the rewind.