Well, 2017 sure has been fun (sarcasm definitely intended) for Information Security Officers. If you are in charge of ensuring the security of sensitive information, then chances are you haven’t been sleeping so soundly…or at all. In the past few months, the security horror stories having been rolling in at lightning speed with Equifax, Deloitte, the NFL, and recent revelations from the Yahoo attack (that we all though was over) showing us how a data breach will plop your reputation right into the toilet.
What’s a Data Breach?
A Data Breach is when sensitive, private, or confidential information has been stolen, viewed, or used by someone who did not have authorization to access that information. Basically, when a bad guy steals data. This data can be many things, including trade secrets, classified material, incriminating content, or intellectual property. However, in recent years, cyber criminals have focused on stealing personal information such as credit card numbers, names, social security numbers, addresses, driver’s license numbers, and dates of birth which can then be used to steal another person’s identity, which in turn, usually leads to credit card fraud (i.e. I definitely don’t remember buying four iPads in Singapore.) Generally, those stealing the information don’t use it for themselves, instead opting to sell it on the dark web for a significant profit.
How Do They Get In?
Cyber criminals gain access to private information in a variety of ways. One common example is through the use of phishing, or fraudulent emails designed to steal login credentials. Successful phishing emails mimic an existing service, such as DropBox or your bank, and ask you to login through a landing page for a convincing reason (My boss sent me a DropBox file, better go get it!) Using a fake landing page that looks almost identical to the actual one, people are tricked into entering their credentials, which are then stolen and made available to cyber criminals, often, without you even knowing that it happened.
With a rise in cloud computing, more companies are storing personal information that can be accessed from the web. Cyber criminals look for and exploit weaknesses in a company’s network, such as a server misconfiguration, unused firewall rule, poor password policy, or through a variety of other technical exploits.
Given the significant rise in data breaches, it is important to look at real world examples to understand why it happened and how it could have been prevented. Below is a breakdown of several recent high profile data breaches, including lessons learned.
The National Football League (NFL)
When? February 2017
How Many People were Affected? 1135 NFL Players
What Did They Get? Cell phone numbers, names, addresses, colleges, date of birth, email addresses, and agent fees.
What Happened? The NFL recently announced this data breach, which occurred because of a server misconfiguration on the NFL Players Association’s website. Hackers found the unprotected database, locked it down, and demanded $438 dollars worth of bitcoins in exchange for not releasing the data to the public. No that wasn’t a typo…the wanted $438 dollars. Ransomware demands are often low since it is more likely people will pay just so they can get on with their lives.
Could it Have Been Prevented? Yes. A Vulnerability Assessment by a third party consulting firm would have likely caught the misconfiguration and pointed it out to the NFL. A security organization did in fact find this security gap, but not before the data breach took place.
What Did We Learn? Review. Review. Review. Setting up a security perimeter and ignoring it is a very poor security practice. Companies need to review their security footprint often to locate gaps and get remediation activities started ASAP. This is where Managed Security Services standout, since a MSSP provider will conduct regular vulnerability assessments, daily checks, and provider you with detailed reporting that can close holes before hackers can find them.
How Many People were Affected? 3 billion (every single Yahoo account)
What Did They Get? Usernames, passwords, birthdays, phone numbers, and in some cases, security questions and answers.
What Happened? Yikes. While the data breach happened in 2013, it wasn’t announced until 2016. Just recently, however, Yahoo announced that every single Yahoo account was compromised, not just the 500 million that they originally reported. If you have, or had, a Yahoo account, you should definitely check out this article.
The data breach was likely conducted through a cookie based attack that let the cyber criminals authenticate as any other user without the password.
Could it Have Been Prevented? First off, this was the largest security breach in the history of the internet. And yes, it could have been prevented. According to a former employee on the security team, Yahoo’s executive team did not see security as a top priority. Dealing with other internet tech giants, Yahoo looked to turn their business around, leaving little budget, resources, or proper attention for security.
What Did We Learn? It is important that executives understand the importance of security, and that IT teams aren’t hindered by a limited IT security budget. Being cheap now almost always catches up with you in the long run.
When? Discovered on July 29th 2017
What Did They Get? Personal information for more than 143 million Americans and Canadians
What Happened? This one was particularly worrisome since Equifax deals with very sensitive personal information, including social security numbers, DOBs, addresses, and driver’s license numbers. The breach was said to have been caused by a lone employee error. Apparently, this one employee in the tech department did not implement software fixes. In other terms, they didn’t have a proper and well followed patching process.
Could it Have Been Prevented? Yes. Patching is one of the most fundamental aspects of a security program, especially for a company that deals with this level of personal information.
What Did We Learn? Lots. Patch your servers and update your software for one. Also, when the risks are this high, security should be a serious priority for every single employee, and that did not seem to be the case for Equifax.
When? Occurred in mid-2017
What Did They Get? Payment card details (card numbers, names, expiry dates, and verification codes.)
What Happened? A total of 41 properties in 11 countries were affected in this breach. This is the second time since 2015 that Hyatt had its payment information stolen, which was much worse the first time around.
Could it Have Prevented? The scary thing here is how long this breach went undiscovered. Hyatt’s security team believes that the breach happened for a period between May and July. This is a common problem, as many companies do not have the means to detect an ongoing issue.
What Did We Learn? One way to find issues in progress is with a Security Information and Event Management (SIEM) platform. A SIEM system correlates data across multiple systems to identity issues and patterns. With a SIEM platform in place and a 24/7 Security Operations Centre (SOC), it is possible Hyatt could have caught this much earlier.
Summing up, data breaches are generally preventable, as long as a company is willing to commit to constant security management and upkeep. Putting in some extra time and dollars upfront isn’t so bad when you think of the alternatives.