In this week's #TechTuesday roundup: Time Warner Cable says up to 320,000 customers' data may have been stolen, Blackphone is given a blackeye with a vulnerability discovery, a security expert discovered a major security flaw in PayPal's security system, Sony's PlayStation Network was shut down by a possible DDoS attack and Brain Test malware was back on the Google Play store.
In this week's #TechTuesday roundup: UConn's website was hacked and used to spread malware, AVG's Chrome Extension experienced a security flaw that left millions at risk, Hyatt Hotels Corporation discovered malware on their payment processors, Major companies including Microsoft, Apple and Adobe are featured on the Top Vulnerabilities List of 2015, and BBC websites were hit with a possible DDoS attack.
Alibaba and Pandora customers are the latest targets of phishing attacks, there is a new info-stealing Christmas-themed malware, researchers have discovered security flaws in six Android parking apps, and cyber scammers pose as Microsoft support in an attempt to install malware onto your computer all in this Week's #TechTuesday Roundup.
“Houston, do we have a problem?”
Are the retail and payment card industries facing a catastrophic collapse in consumer confidence? With the 24/7 news cycle constantly reporting breaches at the largest retail firms, involving hundreds of thousands of customer’s data: it’s hard to argue otherwise. The news that Target’s CIO recently “resigned” shortly after Target disclosed the loss of 40 million or more credit card numbers just illustrates how serious the problem is.
Now, it seems like breaches are happening more often and many involve the brick and mortar store’s point of sales system. While the increase may be partially explained by disclosure laws and aggressive news outlets, that’s cold comfort for companies already struggling to compete with the convenience and price advantages of online-only firms like Amazon.com.
What happens to the retail industry when consumers’ perception shifts to one where shopping online is safer than shopping at retail stores? The answer must have Jeff Bezos smiling, but it also must have him asking his CISO – are we at risk?
With that, in mind, let’s review some top retail breach disclosures involving payment card data from the past 10 years, with links:
2005: DSW Shoes loses 1.4 million customer’s credit card numbers.
2006: OfficeMax loses 200,000 debit card numbers with PINs.
2007: TJX – the grand-daddy of all retail data breaches, 100 million+ accounts stolen.
2008: Forever 21 discloses a three-year long data breach and 100,000 credit card numbers stolen.
2009: Mitsubishi parts ways with 52,000 customer accounts and credit card data.
Of note: from 2005 to 2009, according to www.privacyrights.org, there were 50 retail breach disclosures related to either a hack, an insider abusing access or other credit card fraud such as POS skimming devices. From 2010 to 2013 there were 260, a 5X increase.
2010: Proving small retail shops are not immune; Bear and Wine Hobby in Woburn, MA had 35,000 credit card numbers compromised.
2011: Proving the world’s largest companies and brands are not immune, Sony was hacked and thieves got away with the data of more than 100 million users, including over 12 thousand unencrypted credit card numbers.
2012: Hactivist group “The Consortium” exfiltrates 40 Million plain text credit card numbers from porn site operator Digital Playground (don’t worry, that link goes to a news story).
2013: Double feature? Target is stunned by a Black Friday attack that nets hackers more than 40 million card numbers from more than 100 million consumers while high end retailer Niemen Marcus is hit at the same time.
2014: While not yet confirmed, it appears Sears may have been breached in an attack that appears similar to the Target and Niemen Marcus incidents. Meanwhile, HR employees at The Home Depot were caught stealing employee data from 20,000 individuals (abusing legitimate access) and using that data to open up fraudulent credit card accounts.
In regards to 2014, it’s still only March!
Are we learning a lesson?
If you invest the time to read about these breaches, some common themes emerge:
1. Companies with locked down perimeters still leave their organizations vulnerable to illegitimate use of legitimate access
2. Attacks often go unnoticed for months and years and organizations typically don’t understand the full scope of their breach even years after they are disclosed
3. Hackers are becoming more organized and sophisticated every year
So what can be done?
Of course, Courion and other IAM solution providers have some good ideas. Start by shifting resources into securing and monitoring the “new” perimeter: user access. As Chris Sullivan points out in “Inside Out Thinking”, if 50% of your risk is from the insider threat or “access as the new perimeter”, then consider why 50% of your IT budget is not focused there. As further confirmation, Kurt Johnson’s post on “Intelligent Intelligence” cites the Verizon Data-Breach Report’s statistics that of 76% of breaches leverage user access in some way.
Once you have that budget shifted, start by using it on end user education. The people you let into your network (employees, contractors and customers) are often the soft underbelly of your security program. Most of them don’t want to be, but they may lack the knowledge or sophistication needed to be an IT security asset. Don’t assume they know what phishing, malware or password best practices mean to your ability to protect critical resources.
Next, review your core IAM program. Is it just a tool to make IT more efficient or does it provide the intelligence to help spot attacks as they are happening? As an example, are you reviewing or recertifying access entitlements every six months, or do you have the capability to look for problem access on a continuous basis and require managers to review access as it becomes risky?
Finally, make sure you have a 24x7 monitoring capability – just like you do for your perimeter – that will alert you to attacks as they happen. And when you see these attacks – shut off the offending access immediately.
You can ask questions later, but you don’t want to be on the “top 10 breaches” list next year.
Target, the second largest retailer in the United States, recently revealed that it was the target of a data breach between Wednesday November 27 and Sunday December 15 which resulted in unauthorized access to data for 40 million credit and debit cards that included customer name, credit or debit card number, and the card’s expiration date and CVV. Click here to read the Target press release and customer notification and FAQ.
According to a December 19th story by the Wall Street Journal, “There are a variety of methods used to steal credit-card and debit-card numbers. In this case, malicious software, or malware, made its way onto Target's point-of-sale terminals—the red credit-card swiping machines in checkout aisles, according to people familiar with the breach investigation.”
On this note, a New York Times article stated, “Point-of-sale systems have become a major target for cybercriminals in recent years. To pull it off, security experts said a company insider could have inserted malware into a company machine, or persuaded an unsuspecting employee to click on a malicious link that downloaded malware that gives cybercriminals a foothold into a company’s point-of-sale systems.
While there is still work to be done by the third party forensics team hired by Target, we can assume that the data loss was preceded by a compromise of Target networks. There are predictable patterns for these types of breaches. The attacker most likely:
Gained access to the internal networks through spear phishing, compromised web sites, a wireless network, a stolen laptop, or zero-day vulnerabilities. Even with traditional perimeter controls like firewalls and the modern APT appliances, this is shockingly easy to do.
Worked “low and slow” within the organization to escalate privileges and move laterally across the organization until desired information was discovered. Typically this involves elevating credentials for non-privileged users and using those to evade detection.
Information was quietly removed. This typically involves breaking the data into small chunks and encrypting it to avoid detection by DLP systems on removal.
This all takes time. At least 18 days passed from breach to discovery, though the breach may have begun much earlier, and it is speculated that a company insider may have been involved.
Courion may have helped detect or even prevent the breach. Courion reduces both the risk of breach and, as importantly, the time it takes you to detect and respond to a breach if your company is attacked. To decrease business losses, we recommend that you:
- Use traditional perimeter protections such as firewalls and Intrusion Protection Systems or IPS.
- Reduce your access exposure through Intelligent IAM capabilities
- Employ preventative controls:
- Require Strong passwords and force changes
- Use detective controls: if you are breached, to better understand the motive of the breach and what information was lost or is still being lost. Take what actions you can through:
- Periodic access reviews by business or data owner (is that one of ‘my’ users? Is that access correct and as expected?)
- Continuous monitoring, analysis and automated notification and remediation:
Identify users with excessive or unnecessary access (High Security Risk)
Identify unused entitlements (High Security Risk)
Identify abandoned accounts (High Security Risk)
Closely track privileged accounts (High Audit Risk)
Identify and manage orphaned or non-mapped accounts (High Risk)
- Define specific IT Segregation of Duties (SOD) rules and set up alerts when the defined access criteria are not met. (High Audit risk)
- Identify nested entitlements to accurately assess access risk
Courion can track privileged accounts if they are elevated by hackers through deeply nested entitlements. Access Insight, Courion’s IAI analytics solution, will discover nested entitlements in hours.
Courion can designate any entitlement as “privileged” and track it accordingly. In the Target case, administrative access to the PoS devices might have been crucial.
- Use forensics: Courion’s solution offers comprehensive and historic views of who has access, what they have access to, how they got that access and what they have accessed. A ‘bird’s eye view’ and “view over time’ can be crucial when unwinding a breach to its origins.
-Share information with others, so they share information with you. The hackers do, so shouldn’t you? For example, Courion works with the Advanced Cyber Security Center, which includes members such as they Federal Reserve Bank, State Street Bank, Biogen, Harvard, and MIT. To share threat intelligence and best practices to prevent, detect and remediate breaches.