by Jasmine Chennikara-Varghese, Greenlight Technologies
More than a few times this year we have seen the headlines that a data breach has resulted in millions of records in the hands of bad actors. 2017 has put a number of high-profile companies in the limelight due to unpatched vulnerabilities, human errors and misconfigurations were leveraged to steal sensitive records. What are the key lessons learned from these breaches?
- Every organization is at risk: Recent events remind us that there is never a finish line to security. It is an ongoing challenge for organizations that store a variety of personal private data such as Social Security Numbers, or corporate data such as design documents and company financials. The recent major breaches were in organizations expected to have mature, robust cybersecurity programs in place. However, even with the best-in-class solutions and experts, one small misstep can leave a huge gaping hole in your defenses. A layered, defense-in-depth strategy requires a security framework architected to minimize the reliance on a single control as well as frequent reviews of the internal security posture to validate controls.
- Timely breach detection and notification is critical: The faster end-customers are notified that their data is compromised the faster they can take mitigating actions to protect their data. It is not only the number of records stolen but the types of data compromised that put customers and organizations at risk.
The Yahoo breach in 2013 was a very big one and its impact is still being uncovered. Last year, the estimate was about 1 billion accounts impacted. Recently, Yahoo disclosed that the number is 3 billion accounts, meaning every Yahoo user account was affected. This breach exposed names, birth dates and passwords as well as security questions and backup email addresses used for password resetting. With this valuable information, threat actors could potentially break into other personal, corporate and even government accounts for the same user.
In the case of Equifax, threat actors leveraged a website vulnerability between May and July but the breach was only discovered in the end of July. This was enough time for the attackers to access the identity of more than 40% of the U.S. population. The significance of the compromised personal data was also high-impacting since Social Security Numbers and driver’s licenses were disclosed. Equifax notified customers in September, leaving a lot of leeway for identity thieves to use that data.
In September, Deloitte reported a breach in the firm’s global email server which they had discovered in March. However, the server may been compromised for more than 3 months, allowing access to emails, design documents, configuration details in spreadsheets, passwords emailed between engineers, etc. Threat actors can potentially leverage the sensitive information that Deloitte holds for hundreds of global enterprise companies to expand their attack surface to other targets.
Look for Part II next week…