Category Archives: Lessons

What are some lessons from the five biggest breaches of 2017?

Leave a reply

I came across this blog posting from Continuity Central.  It is a good post because it is succinct.

  1.  NHS – Based on knowledge in the public domain, we believe the root cause of the vulnerability relates to an ‘enhanced data sharing’ option. If enabled, that data can be accessed by hundreds of thousands of other users of the same system. This is a common oversight, as organizations tend to focus on their web application testing and security but fail to extend this security to their desktop applications.We regularly find vulnerabilities like this when we’re auditing desktop applications and the communication mechanisms that support them. By extending the same care to both web and desktop applications, these vulnerabilities can be minimised.
  2. Equifax – This breach highlights how critically important it is for all organizations to be on top of their vulnerability management processes, ensuring that critical patches for software and systems are applied as soon as possible.Regular penetration testing and vulnerability scanning feed into a central vulnerability management system within the wider governance, risk and compliance (GRC) processes. They’re fundamental to help mitigate the risk of these kinds of breaches occurring. After all, if you’re not aware of your vulnerabilities and risks, you can’t treat them.
  3. Yahoo – …these types of breaches usually originate from an exploited website vulnerability. Preventing such a hack starts with using controls that identify vulnerabilities. However, it’s also critical that incident response processes are in place to identify attacks in progress.
  4. Uber – …beyond securing vulnerable information, communication is key. Uber tried to brush the breach under the carpet but making your customers aware of a breach as soon as possible is the best response. This will be critical when the General Data Protection Regulation becomes enforceable. Under the regulation, organizations must notify of the breach to the relevant supervisory authorities and affected parties within 72 hours of its discovery, as failure to do so could result in fines up to €20m or 4 percent of world-wide revenue, whichever is greater.
  5. Alteryx...a cyber risk researcher revealed that data analytics software company , had left a 36-gigabyte database exposed in an Amazon Web Services storage bucket. Alteryx’s unsecured database was discovered during a routine search of Amazon Web Services storage buckets, with the breach affecting 123 million households in the USA. Configuration related vulnerabilities like this are common, and AWS storage buckets that have not been protected correctly with the right controls are frequently discovered. According to The Register, information from Accenture, Verizon, Viacom, and the US military had been inadvertently left online due to incorrect configuration.When storing sensitive information in the public cloud, it’s vital to implement best practice security measures. All storage buckets must be configured correctly, with procedures, checks and balances in place to make sure that systems can’t go live without being properly audited. Each configuration must be checked against potential vulnerabilities, and it is best practice to ensure that the configuration is peer reviewed before the system goes live.

 

What lessons should we have learned from 2017?

Leave a reply

Sarah Peters posted an interesting post, 17 Things We Should have learned in 2017, but probably didn’t.

Below is the summary:

1. You need to know what data you have, and where it is.  I agree and is the right thing to do, but is no small undertaking to complete and maintain in a large and dynamic environment.

2. How we respond to incidents is just as important as how we prevent them.

3. Social Security Numbers should not be used for anything but Social Security. Yes, but legacy applications and processes may still leverage SSN as an unique identifier.

4.Radio frequency communications need to be secured.

5. ICS/SCADA needs special security treatment

6. You need to deploy patches faster … no, really.

Equifax was compromised first in May, via the critical Apache Struts vulnerability disclosed in March. When news broke, attackers were already attempting to exploit the vuln and researchers urged anyone using Struts2 to upgrade their Web apps to a secure version. Clearly Equifax did not move fast enough.

In fairness, patching is hard, and March to May isn’t that much time for an enterprise Equifax’s size to complete the process. Organizations nevertheless must inject some jet fuel into their patch management processes because the vendors sometimes take their sweet time issuing fixes. Microsoft, for example, didn’t patch a Windows SMB bug until a month after an exploit for it, EternalBlue, was publicly disclosed. The EternalBlue exploit, which enables malware to quickly spread through a network from just one infected host, was soon used in both the WannaCry attacks in May and the NotPetya attacks in June. Despite the terrifying (and highly publicized) nature of WannaCry and NotPetya, a scanner created by Imperva researchers found in July that one of every nine hosts (amounting to about 50,000 computers from what they’d scanned) was still vulnerable to this exploit

7. The NSA might not be the best place to put your secret stuff.

8. Cybersecurity failures are beginning to have significant market impacts … sort of. I like this comment too:

Security researchers are investigating other ways to use market pressures to improve cybersecurity themselves. Meanwhile, organizations are getting smacked by regulatory fines and legal settlements, like Anthem Healthcare’s record-setting $115 million to settle its 2015 data breach

9. Integrity of data (and the democratic process) can be disrupted by more than “hacking. I agree. In healthcare, we have been focusing a lot on the confidentiality and availability of systems and data.  As more medical and personal / wearable devices become interconnected and integral part of providing healthcare, integrity of the data and device will be critical.

10. You really should refresh your DDoS defense and preparation plan.  To be effective, companies need to also refresh their business impact analysis data.  How badly will your operations, legal obligation or regulatory requirements be affected if an externally facing patient portal is not available for 15 minutes? What about 30 minutes? What about 2 hours? 1 day?

11.You can’t escape the effects of political and civil unrest.

12. Infosec workforce diversity is something you should actually care about.

13. Bitcoin is awesome, once you take away the part about currency.   I absolutely agree. I am excited and agree about the next comments too.  I want to explore this topic in future posts

 

…But the best thing about it is the platform upon which it’s built: Blockchain. The distributed ledger technology essentially allows for the creation of a list of records, each record cryptographically linked and secured, thereby enabling greater data integrity for all manner of applications. JP Morgan’s CEO Jamie Dimon called Bitcoin “stupid,” but his company got behind Blockchain in a big way this year, announcing a Blockchain-based cross-border payment network; IBM released a similar offering.

14. Encryption is great … except when it isn’t.

15. Firmware is your problem too.

16. No, malware does not mean no problem.

17. I want to include the last item in the full. This item requires a separate blog posting too.

Getting stabbed in the side is a bigger problem than getting stabbed in the back. We’ve known for years that attackers can break in through one poorly secured endpoint and laterally move through your network until they access the crown jewels from the inside. While attackers continue to get better at lateral movement, most organizations haven’t done anything to get better at preventing it. With better-managed access controls and microsegmentation, and the use of an automated lateral movement tool to help good guys (and others) quickly find the most vulnerable pathways, organizations might begin to help defend themselves against a variety of attacks, including nightmares like an Active Directory botnet.

The Takeways

  1. Review blog post and update any plans

What 100,000 Tweets About the Volkswagen Scandal Tell Us About Angry Customers?

Leave a reply

A critical component of managing a cyber security incident is crisis communication. Swaminathan and Mah (2016) recently published, “What 100,000 Tweets About the Volkswagen Scandal Tell Us About Angry Customers” in  the Harvard Business Review. Their analysis focused on more than 100,000 tweets related to the Volkswagen Scandal. Their conclusions are relevant to CISOs and their cyber-incident management plans.

The Takeaways :

  1. Incident management plans need to include an analysis of tweets. As Swaminathan and Mah state, “by analyzing the topics most frequently discussed, managers can better understand what consumers are discussing and apply appropriate recovery strategies.”
  2. CISOs need to collaborate with their partners in Public Relations in managing the communication with customers..
  3. Understand that tweets change in terms of volume, valence and topics over the course of the incident. The figure below illustrates the three major changes from Swaminathan and Mah

Capture_tweets