Expert On Family Tree Maker Exposing Users’ Private Information

In response to Family Tree Maker, a popular family tree software, exposing tens of thousands of its users’ personal information online via a misconfigured cloud server, cybersecurity experts provide an insight below.

Subscribe
Notify of
guest

2 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Trevor Morgan
Trevor Morgan , Product Manager
InfoSec Expert
July 23, 2020 8:08 am

As the Family Tree Maker scenario clearly displays, security administrators, need to move beyond reinforcing their perimeter boundaries and access mechanisms. This is not to say that they need to neglect perimeter security. However, no matter how much effort and investment are poured into securing the borders of their data environment, sensitive data inevitably will wind up in the wrong hands—either through intentional intrusion and theft, unintentional distribution, or pure lack of oversight.

Data-centric security addresses the need for security to travel with the data it protects (rather than merely securing the boundaries around that data). Standard encryption-based security is one way to do this, but encryption methods come with sometimes-complicated administrative overhead to manage keys. Also, many encryption algorithms can be easily cracked. Tokenization, on the other hand, is a data-centric security method that replaces sensitive information with innocuous representational tokens. This means that, even if the data falls into the wrong hands, no clear meaning can be derived from the tokens. Sensitive information remains protected, resulting in the inability of threat actors to monopolize on the breach and data theft.

Had this highly sensitive personal data been tokenized in the Family Tree Maker environment, none of it would have had the potential to compromise individual users. This type of preventative helps keep organizations within compliance regulations and helps to avoid other liability-based repercussions.

Last edited 2 years ago by Trevor Morgan
Chris Clements
Chris Clements , VP
InfoSec Expert
July 23, 2020 8:05 am

Exposures from misconfigured servers and applications are among the most embarrassing security incidents. It’s fun to think about elite teams of attackers and defenders battling it out in cybersecurity, but cases like this are the equivalent of a shop leaving the cash register out on the street. This type of error or omission is common in organizations that have not cultivated a culture of security, that is, they have not made the commitment to ensuring that every person in the organization is properly trained and accountable for ensuring they understand the security implications of job functions they are responsible for. Further, checks and balances to proactively identify security issues should be in place, as well as continuous monitoring and auditing of all systems and data. Failure to protect the personal information that customers have entrusted to you carries severe consequences in customer confidence and trust as well as potential legal and regulatory penalties. Businesses that disregard cultivating a true culture of security will find themselves increasingly exposed and penalized.

Last edited 2 years ago by Chris Clements
Information Security Buzz
2
0
Would love your thoughts, please comment.x
()
x