If data security is job 1, why treat it as an afterthought?
As important as they are, software and network security seem so often ignored. Every month I hear about a data security breach even more egregious than the last. What's going wrong?
Between November and December of 2013, an attack on retail giant Target's point-of-sale network yielded personal information that included names, mailing addresses, and phone numbers for 40 million customers—all of whom used credit and debit cards at the chain's US stores. Similarly, a five-month-long breach of Home Depot starting in April 2014 used essentially the same malware as the Target incident.
In July 2015, a data breach that included password hashes occurred at Ashley Madison, a website enabling extramarital affairs among millions of users. This led to multiple blackmail and extortion attempts, and several reported suicides. Analysis of the published data dump led to the revelation that there were far more men than women on the site, and that many of the "women" appeared to be chatbots registered from a single IP address.
Worst of all, last June, 21.5 million personnel records—including social security numbers and other personal information—were stolen from the US Office of Personnel Management (OPM) in a cyber intrusion involving background investigation records. Although having one of your favorite passwords exposed creates a short-term vulnerability if you've used it elsewhere, you can at least change the password. But having your social security number and address stolen creates a long-term vulnerability with a high potential for identity theft and, in the context of security clearance investigations, blackmail.
What were the proximate and root causes of these data security breaches? At Target and Home Depot, malware called BlackPOS infected point-of-sale devices running Microsoft Windows, allowing perpetrators to steal unencrypted personal and credit card information, stored and in memory, over a period of months. Only end-to-end encryption and strong malware protection could have stopped BlackPOS. Target had neither a chief information security officer (CISO) nor a chief security officer (CSO) at the time—so it's not clear who, if anyone, was thinking about malware protection, data security, the Payment Card Industry Data Security Standard (PCI DSS), and Federal Information Security Management Act (FISMA) compliance at the company.
It's easy to think, "Why pay for a high-powered security person? That would just weaken our quarterly profits." But the truth is that as capable as your IT department is, it's not enough to assume they're always a step ahead of those looking to get in.
Up for grabs: Your personal info
Security experts point to Russian and Ukrainian cyber criminals as those who were behind the Target and Home Depot breaches. The stolen credit card numbers were put up for sale in batches at rescator[dot]la.
The attack vector to install the credit-card-stealing POS malware at Target was an email phishing attack bearing a password-stealing Trojan. The HVAC vendor (not a Target employee) who succumbed to the phishing attack wasn't issued a security token and therefore couldn't use two-factor authentication—which, on the face of it, was a violation of PCI DSS regulations. The proper, broad use of two-factor authentication might've prevented the initial intrusion, or at least made it more difficult. But Target was penny-wise—and I might say a little foolish—regarding data security.
"Tokens? They don't need tokens; they don't have enough privileges to do any harm." ...Doesn't that sound familiar?
Way less than perfect
At Ashley Madison, attackers presented themselves as "hacktivists" trying to force a shutdown in advance of a proposed IPO. They drew a picture of a site that wasn't just aiding and abetting immorality, but basically acting as a fraudulent honeypot. The attacking group, calling itself the "Impact Team," threatened to release the profiles of 37 million members, and eventually did publish them—including password hashes.
In a blatant violation of security principles, many of the Ashley Madison passwords turned out to be hashed twice with different algorithms (bcrypt and md5), with the result that 11 million of the 36 million published password hashes were eventually cracked by security analysts.
The Ashley Madison data dump was followed by a series of blackmail and extortion attempts, with the perperators threatening various outcomes unless the victims paid them off using Bitcoin. However, the groups behind these threats don't appear to have been part of the "Impact Team."
The "Impact Team," meanwhile, had nothing but scorn for Ashley Madison's management, with one exception: "Our one apology is to Mark Steele (director of security). You did everything you could, but nothing you could have done could have stopped this."
What you don't know
Having 11 million passwords out there in the clear isn't just a problem for Ashley Madison, but for every business that relies on passwords to protect its data. Think of that pool as feedstock for millions of simplistic password guessing engines, and you quickly come to the conclusion that passwords alone aren't reliable security. Two-factor authentication—something you have followed by something you know—improves security, but it's still not perfect.
What about the source of the two OPM database breaches, which were arguably the worst of all of them? Everyone "in the know" has been pointing to China, but there's still no official answer. OPM Director Katherine Archuleta was forced to resign over the fiasco, but when the public asks questions about how the attacks were carried out, a cloak of secrecy descends. OPM is a bit late, though, since the cat's already out of the bag.
The other narrative that's come out in connection with the OPM breaches is about the People's Liberation Army "playing catch-up" with the NSA and the U.S. Cyber Command, both of which have been successfully hacking the Chinese for at least 15 years, according to classified documents released by WikiLeaks and supplied by Edward Snowden. That might well explain the lack of public information—the NSA knows perfectly well who cracked the OPM, and how they did it. But releasing that information would allow the Chinese to figure out how we tracked them—and that's not a leg up the NSA wants to give them.
Is your organization already compromised by a long-term exploit? What are you doing to minimize your attack surface? How many attempted data security breaches do you catch every day? How many do you miss? And how do you know?