It's Not Rocket Science

As we get ready for the onslaught of RSA 2018, and the anticipated 1,000+ vendor products that will be exhibited there, it might be useful to examine the underlying causes of a small sample of the most high-profile celebrity breaches from the recent past.

Let’s see if we can map the causes of these breaches to a particular class of cybersecurity defense technology – you know, stuff like end-point protection, data loss prevention, mobile device management, firewalls, IDS/IPS, UEBA, Threat Intelligence, internal threat defense, SIEM, etc.

Yahoo. A spear-phishing email sent in early 2014, opened the door to both the user database and the account management tool, both of which were subsequently used to steal a copy of the entire user database containing 1.5 billion names, phone numbers, password challenge questions and answers and crucially, password recovery emails and a cryptographic value unique to each account. 

In the original attack, the (foreign) hackers’ objective was a specific set of around 6,500 or so users, so once they had those cryptographic values they were able to generate access cookies through a script that they installed on a Yahoo server. Those cookies gave the hackers free access to a user email account without the need for a password.

The result of this careless employee mishap was a staggering 1.5 billion records compromised and a $350 million devaluation of the acquisition amount that Verizon finally offered, a massive blow to the value of Yahoo stock and currently 43 separate law suits pending, all started by a spear-phishing campaign.

Home Depot. Criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's network, and while those stolen credentials alone did not provide direct access to the company's point-of-sale devices, the hackers were able, once inside the network to acquire elevated rights that allowed them to navigate and deploy custom-built malware (a variant of BlackPOS) on its checkout systems.

This exploit of an easily avoided third-party vulnerability resulted in the theft of 53 million email addresses along with the 56 million credit and debit card details, and a hammering of the company’s stock along with a useful illustration of the exposures that loosely integrated supply-chains can provide.

Target Stores. The big-box giant saw 110 million in-store customers’ debit- and credit-card data compromised by a widespread point-of-sale (PoS) hack initiated through credentials stolen from Target’s third-party provider of refrigeration and HVAC systems. While it is not uncommon for large retail operations to have an environmental team on contract, monitoring for operational efficiency, energy consumption and in-store temperatures requiring remote access to related systems, it was imprudent of Target to not cordon off those systems from the payment systems and the central servers.

Several mature processes and practices currently exist for securing third-party access to enterprise networks. Even the Payment Card Industry Data Security Standard (PCI DSS), which companies like Target are required to follow, specifies network segmentation as a way to protect sensitive cardholder data.

This simple process failure resulted in $162 million worth of expenses directly related to the breach and several class action lawsuits that are presently winding their way through the courts.

Anthem. The Anthem attack was one of the largest cyber hacks of an insurance company's customer data and was caused by an employee at one of Anthem's subsidiaries opening a phishing email and clicking on a malicious link. Opening that email permitted the download of malicious files to the employee's computer and in turn allowed the hackers to gain remote access to at least 90 other systems within the Anthem enterprise, including their data warehouse.

This employee’s error caused by an easily correctable low situational awareness, resulted in more than $260 million in direct expense associated with credit protection to all consumers whose information was compromised, security improvements and remedial actions in response to this breach.

Chase. The computer breach at JPMorgan Chase, which was the largest intrusion of an American bank to date, could have been thwarted if the bank had installed a simple security fix (upgrading a neglected server to deploy a double authentication scheme) which would have prevented the hacker from gaining network access by stealing the login credentials of an administrator through a phishing attack.

Chase spent over $250 million annually (now doubling that for 2018) on its cybersecurity operation in 2014, yet was unable to prevent a simple configuration failure from undermining all of those expensive precautions.

The result was 83 million household and small business records were exposed and stolen and while Chase has yet to publicly announce the internal expenses associated with the breach, the Ponemon Institute credibly estimates that a data breach costs an average of $154 per record. The math says $12.8 billion. In addition of course is the secondary loss costs associated with litigation, insurance and reputational impact. All because a phishing attack compounded by a hygiene process failure succeeded.

All of these breaches were not caused by sophisticated, exotic or zero-day malware concoctions, but rather occurred through common process and user education deficiencies.

In all of these cases, and many others like eBay, Adobe, AdultFriendFinder, Michael’s, Sally Beauty, Equifax, etc., what would have prevented every breach was not additional, better or more advanced security technologies, but rather a simple cybersecurity awareness program for their employees and an adherence to some rigor in the execution of just the best practices around the cybersecurity management process.

If we know that a vulnerability exists in software we are using and a patch is issued that we can apply, and the potential impact of not applying it is substantial (Equifax – Apache Struts – 71 vulnerabilities – 3 CVSS-10s and multiple 9s - $4 billion in probable risk), failure to apply that patch was inexcusable. If two-factor authentication is your standard (as it should be) then there is no justification for any server on your network to not be configured appropriately.

Third party risk management is a now thing and there are tons of best practices that are easily applied which can completely mitigate vulnerabilities in the supply chain.

And if our employees and users still don’t understand how to recognize a phishing link, there is no amount of technical wizardry, including artificial intelligence and machine learning that will be able to prevent a breach from occurring.

Cybersecurity is not rocket science.