2nd February 2018
By Luke Potter
With the threat landscape constantly evolving and cyber-criminals looking for new ways to breach organisations’ defences, maintaining the integrity of the business network and the data that resides there is a growing challenge. By and large, organisations are just about coping with the array of potential threats they are facing, but the growing number of threats can be overwhelming.
In 2017, we witnessed some of the most high-profile and effective breaches ever seen, highlighting that significant breaches have equally significant consequences, ranging from reputational damage to legal investigation. Perhaps this is why more organisations than ever before have a clear understanding of the potential impacts of a data breach.
So, with organisations becoming increasingly cyber-security aware, what can we learn from the top five breaches of 2017 as businesses look to enhance their security posture for 2018 and beyond?
2017 was a turbulent year in cybersecurity for the NHS, not only was it hit by the WannaCry ransomware, but it was also revealed that 26 million patients’ medical records had been breached.
Based on knowledge in the public domain, we believe the root cause of the vulnerability relates to an ‘enhanced data sharing’ option. If enabled, that data can be accessed by hundreds of thousands of other users of the same system. This is a common oversight, as organisations tend to focus on their web application testing and security, but fail to extend this security to their desktop applications.
We regularly find vulnerabilities like this when we’re auditing desktop applications and the communication mechanisms that support them. By extending the same care to both web and desktop applications, these vulnerabilities can be minimised.
In September 2017, Credit Reference Agency Equifax revealed it had suffered a massive global data breach that affected 143 million consumers in the USA and up to 400,000 in the UK. Hackers accessed sensitive information including names, addresses, dates of birth and credit card numbers.
While all the details of the breach have not been disclosed, based on public information it appears that the initial point of compromise came from an affected web server. The critical vulnerability in question had been publicly disclosed, and a patch released, months before the breach occurred.
This breach highlights how critically important it is for all organisations to be on top of their vulnerability management processes, ensuring that critical patches for software and systems are applied as soon as possible.
Regular penetration testing and vulnerability scanning feed into a central vulnerability management system within the wider Governance, Risk and Compliance (GRC) processes. They’re fundamental to help mitigate the risk of these kinds of breaches occurring. After all, if you’re not aware of your vulnerabilities and risks, you can’t treat them.
Shortly after the Equifax breach was announced, Yahoo revealed that in 2013, every Yahoo account that existed had been hacked. In total, three billion accounts for Yahoo’s email, Tumblr, Fantasy and Flickr services had been compromised, and the exfiltrated data was made available for sale on the dark web.
Yahoo has never confirmed or released details about how the information was compromised. However, these types of breaches usually originate from an exploited website vulnerability. Preventing such a hack starts with using controls that identify vulnerabilities. However, it’s also critical that incident response processes are in place to identify attacks in progress.
In November 2017, ride hailing service Uber revealed that the personal information of 57 million Uber customers and drivers worldwide had been stolen. According to The Guardian, Uber had previously concealed the breach and paid hackers $100,000 to delete the data and keep quiet.
We believe the breach resulted from credentials left in a Git repository, which the attackers accessed by compromising a developer’s account. Code repositories should be adequately protected. Ensure credentials are never left in code or in repositories, and make sure that all users are taking advantage of multi-factor authentication and are using unique passwords for every system and service.
In addition, it’s vital that those repositories are audited before being made public. Any sensitive information, such as passwords and SSH private keys, must be cleaned from the code. Too often, comments are left in the code that reveal sensitive information. Permissions should also be checked frequently and audited to ensure security – including private repositories.
Beyond securing vulnerable information, communication is key. Uber tried to brush the breach under the carpet, but making your customers aware of a breach as soon as possible is the best response. This will be critical when the General Data Protection Regulation becomes enforceable. Under the regulation, organisations must notify of the breach to the relevant supervisory authorities and affected parties within 72 hours of it discovery, as failure to do so could result in fines up to €20m or 4% of world-wide revenue, whichever is greater.
In the last major breach of the year, a cyber risk researcher revealed that data analytics software company Alteryx, had left a 36-gigabyte database exposed in an Amazon Web Services storage bucket. Alteryx’s unsecured database was discovered during a routine search of Amazon Web Services storage buckets, with the breach affecting 123 million households in the USA
Configuration related vulnerabilities like this are common, and AWS storage buckets that have not been protected correctly with the right controls are frequently discovered. According to The Register, information from Accenture, Verizon, Viacom, and the US military had been inadvertently left online due to incorrect configuration.
When storing sensitive information in the public cloud, it’s vital to implement best practice security measures. All storage buckets must be configured correctly, with procedures, checks and balances in place to make sure that systems can’t go live without being properly audited. Each configuration must be checked against potential vulnerabilities, and it is best practice to ensure that the configuration is peer reviewed before the system goes live.
With 2017 now in the rear-view mirror, organisations are focused on ensuring that they’re well protected against the threats that 2018 will undoubtedly have to offer. But looking back at the lessons of 2017 will help to avoid repeating the mistakes of the past.