Pay Attention to Process

Our first case doesn’t involve technology or a breach of identity data, but we included it because it underscores the importance of securing not just technology but also processes. In 2015, Edward Hornsey, an enterprising young businessman, hit upon the idea of buying used iPhones, many of which were stolen, and returning them to Apple to take advantage of their liberal return policy. He received shiny new replacement phones in exchange, which he was then able to sell at a handsome profit. Surprisingly, he managed to do this 51 times before Apple caught on! At the time, Apple did not check to see if a returned phone had been reported stolen or was being returned by the registered owner of the phone. Nor did Apple have any check on the number of phones returned by a single person. This demonstrates the necessity of designing appropriate anti-fraud mechanisms and identity checks into business processes. In case you are wondering, Apple did catch on and fix its processes and Mr. Hornsey was duly convicted of fraud and sent to jail. Don't try this at home!

Another classic example of an attack that involved no technology beyond charm and chocolate, yes you read that correctly, chocolate, is the 2007 social engineering attack by a perpetrator as yet uncaught, who purloined 21 million euros of jewels from safe deposit boxes at ABN Amro bank in Belgium.ⁱⁱ The thief’s charm and gifts of chocolate were apparently used to obtain safe deposit box keys and information about the diamonds. Don’t shortcut security processes, even for charming, chocolate-bearing customers!

Another failure occurred in 2006 when office workers employed by The Boston Globe newspaper mistakenly printed out lists of subscribers’ credit card and bank routing numbers. Rather than shred the printouts, the workers placed them in a recycling bin. This environmentally conscious newspaper used recycled paper for routing slips for the bundles of newspapers they distribute to newspaper vendors. As you suspected, the recycled printouts with customer credit card and bank information were used to wrap bundles of newspapers that were then distributed all around the city of Boston.ⁱⁱⁱ The newspaper certainly earned an “A” for environmental awareness, but an “F” for data protection that day. If you handle any identity information, avoid printing sensitive information except where absolutely necessary. In addition, provide shredders and train all staff regularly on data protection procedures, including shredding printouts with sensitive information.

Beware of Phishy Emails

Don’t take the bait when someone is phishing! Continuing the unfortunate tale of breaches is Anthem which suffered a breach in 2015 impacting 78.8 million records including social security numbers, birthdays, addresses, email, and income data.^{iv, v, vi} The Anthem breach is suspected to have originated in a single employee inadvertently clicking a phishing email containing malware. At the time, Anthem had on the order of 50,000 employees and a single person clicking a dodgy email opened up a door for hackers. Sadly, the list of breaches caused by phishing attacks continues unabated. In 2018, UnityPoint Health fell victim to a phishing attack, resulting in the exposure of 1.4 million patient records including names, addresses, medical data, and possibly social security numbers and payment card information.^vii Aultman Health Foundation was compromised by phishing, impacting over 42,000 patients.^viii MedSpring Urgent Care in Austin Texas compromised over 13,000 patients’ data as a result of a successful phishing attack.^ix This should underscore the importance of security training, endpoint protection software, and procedures/tools to help employees recognize phishing attacks which may come in the form of emails, text messages, or even voicemails. Implementing a comprehensive program of security measures, for defense in depth, may help reduce or contain the damage if someone falls for a phishing attack, but preventing malware in the first place is preferable.

Use Multi-factor Authentication

While the causes behind some breaches do not involve technology, there are certainly many that do. In November 2015, JP Morgan announced they’d suffered a data breach of 83 million customers’ accounts.^x At the time, it was the largest data breach suffered by an American financial institution. This breach was the result of an attack that began with stealing an employee’s credentials and then gaining access to the bank’s network through a lone server that did not require multi-factor authentication. The moral of this story is one of attention to detail. Have accurate lists of servers, check that multi-factor authentication is required for access to all access points and sensitive resources, and repeat the checks regularly. Rather than rely on error-prone manual processes, use automated processes to build servers with secure configuration and automate regular security scans to ensure all servers remain configured to build standards. Scan networks and use device management regularly to find any equipment that does not meet secure configuration standards.

Stay on Top of Patches

While we’re on the topic of staying on top of things, we should cover the 2017 Equifax breach. This breach exposed the personal data of 143 million people. The breach was made possible when Equifax did not act on security vulnerability notices for its technology stack. A vulnerability in the Apache Struts technology (CVE-2017-5638)^xi was made public on March 6th, 2017.^xii A patch was promptly made available by Apache.^xiii Installing a patch requires time to update the impacted software and thoroughly test applications relying on the patched technology. Care must be taken to ensure the installation of a patch doesn’t cause outages or other issues. In this case, however, aggressive attempts to take advantage of the vulnerability were already being reported in March.^xiv Unfortunately, for the victims in this breach, Equifax failed to patch its systems for this known vulnerability. Equifax reported that its systems were breached in May of 2017, two months after the patch for the vulnerability was provided.^{xv, xvi, xvii} The lesson here is the necessity of knowing your technology stack, monitoring the vulnerability announcements for each technology used, and having a process to quickly triage and apply patches for critical vulnerabilities.

Secure Your Cloud

Just because you use cloud services with rigorous security practices doesn’t give you a free ride. If you use a cloud service, you must configure and use it securely. In 2018, MBM, which runs a company called Limoges Jewelry (a Walmart partner), exposed the personal information of 1.3 million customers via an improperly secured Amazon S3 bucket. This S3 bucket contained a database backup file and left this information publicly exposed for many weeks. The compromised information included names, addresses, phone numbers, email addresses, plaintext passwords, and encrypted credit card information.^{xviii, xix, xx} A similar incident, in 2017, this time by a Verizon partner, exposed personal information and PINs of up to 14 million Verizon customers via an improperly secured S3 bucket.^xxi Continuing the pattern, Uber exposed the personal information of 57 million users in a vulnerable S3 bucket.^xxii A Florida credit-repair firm, National Credit Federation, exposed data including names, addresses, driver’s licenses, dates of birth, social security numbers, and credit reports for tens of thousands of customers in similar fashion.^xxiii The moral of this story is to properly secure any S3 buckets or similar cloud storage services you use.

Encrypt Sensitive Data!

Another critical lesson can be learned from the breach of Sony PlayStation Network. The Sony attack involved 77 million accounts, 12 million of which had unencrypted data. This resulted in the compromise of names, emails, passwords, addresses, and credit card numbers.^{xxiv, xxv} The lesson here concerns the need to protect data. If you handle sensitive data, and identity data is by definition considered sensitive, you should encrypt the data at rest and in transit. This protection should extend to backups and log files. In addition, logs should be scanned to ensure sensitive data isn’t leaked to log files. Twitter learned this lesson the hard way when a bug inadvertently wrote out cleartext passwords to log files and they didn’t discover the issue for months.^xxvi Legislators around the world are reacting to public outrage about data breaches and enacting privacy legislation with sanctions for companies that fail to adequately protect personal data. In the event of a breach, these fines may be avoided, or at least significantly reduced, if data is protected by proper encryption.

Do Not Store Cleartext Passwords

It is risky to store passwords in cleartext. Unfortunately, numerous breaches of cleartext passwords show that many sites have run this risk, to the detriment of their customers. The third largest data breach in Finnish history resulted in the compromise of usernames and cleartext passwords of 130,000 users of the New Business Center, a site for entrepreneurs.^{xxvii, xxviii} A breach of ClixSense, a site for viewing ads and surveys, resulted from an unsecured older server with access to a primary database. This breach exposed personal information such as names, email addresses, dates of birth, and IP addresses as well as the cleartext passwords of 6.6 million users.^xxix A service called “Teen Safe,” designed to allow parents to track their children’s phone activity, compromised the data of tens of thousands of customers. The data exposed included parent emails as well as children’s Apple ID and cleartext password for the Apple ID. This incident was caused by improperly secured servers in Amazon Cloud, but the impact of the breach was compounded by passwords stored in cleartext.^{xxx, xxxi} All we can say is, when it comes to storing passwords in cleartext, just don’t!

Provide Security Training to Developers

These documents contain advice about the most common coding vulnerabilities and how to avoid them.

Heartland Payment Systems suffered a data breach in 2008 that exposed 134 million credit cards and was caused by a SQL injection attack.^{xxxv, xxxvi} This type of attack takes advantage of applications that do not properly validate input that is subsequently used to form queries against back-end data systems. The Heartland breach in 2008 might have been prevented had they heeded the 2007 version of the OWASP Top 10, which showed injection-style attacks as number two in the list.^xxxvii They are easy attacks to perform and automate but can be prevented with proper input validation. To reduce vulnerabilities in application code, ensure that developers are thoroughly trained on the current OWASP Top 10 Application Security Risks and how to prevent them.^xxxviii In addition, to mitigate the risk of human error, institute code reviews and automated software vulnerability scanning to identify vulnerabilities in your application code.

Vet Your Partners

Many companies today use a dizzying array of vendors, and if their access is not properly managed and segregated, the results can be disastrous. The retail company Target announced in 2014 that it had been attacked, resulting in the exposure of 40 million card numbers and personal data of 70 million customers. This attack is suspected to have originated in the compromise of Target’s HVAC (heating, ventilation, and air conditioning) contractor via a phishing attack which installed a Citadel Trojan. Unfortunately, there was inadequate separation between the network access granted to the HVAC vendor and other systems on Target’s business network. The attackers were able to leverage the access provided to the HVAC vendor to access vulnerable systems on Target’s network and from there to access POS (point of sale) systems where they collected credit and debit card data. While Target had installed security tools such as FireEye and Symantec, key monitoring features were either turned off or not monitored. ^xxxix The lesson to learn from this breach is to thoroughly validate the security practices of all partners on an ongoing basis and ensure adequate network segregation between low sensitivity systems and systems with highly sensitive data. Applying the principle of least privilege by granting the minimum necessary access to each actor in an environment can provide another layer of defense. Last but not least, ensure monitoring systems are turned on and pay attention to alerts from security monitoring systems!

There are several more examples of breaches related to business partners. [24]7.ai, a customer service and chat vendor used by several retailers such as Sears, Kmart, BestBuy, and Delta, caused a breach in 2018 resulting in exposure of personal data and credit card information for hundreds of thousands of customers of each of these large companies.^xl In 2017, Deep Root Analytics, a small professional services company used by the Republican National Committee, mistakenly put the data of 200 million voters on a publicly accessible server.^{xli, xlii} To avoid a repeat of these cases, make sure to track all partners you use, vet their security practices, and ask if they share your data with any of their partners and how they’ve vetted their partners.

Insider Threat

Some breaches are caused by insiders. The Verizon Data Breach Report for 2018 indicates that 28% of attacks are perpetrated by insiders.^xliii Perhaps the most infamous example of insider threat was not conducted for monetary gain. Edward Snowden, a systems administration contractor working at the US National Security Agency (NSA), was able to exfiltrate thousands of top secret documents from a Defense Intelligence Agency network. The exact scope of the breach may never be known, but the impact to political strategy as well as to offensive national cybersecurity interests will be felt for years. Snowden apparently accessed 1.7 million files using automated web-crawling software on networks to which he was legitimately given access. He configured the software to look for specific topics. His activity was apparently not detected because he worked in a field office that had not yet upgraded systems to implement the latest security controls which might have detected his activity.^{xliv, xlv, xlvi}

The Snowden incident illustrates the threat of a malicious insider. Several lessons can be learned from the Snowden incident. The first is to implement the classic security principle of granting each person the least privilege required to do their job and to design access models to enforce segregation of duties. Admittedly, this is challenging in smaller organizations where each person has many responsibilities. A second protection is to encrypt data at rest and in transit. A third technique is to employ security monitoring software that can detect anomalous activity (especially high-volume data retrieval). It usually takes significant time to tune such solutions so that they do not generate a time-wasting volume of false positives. Data loss prevention (DLP) solutions, which are designed to prevent exfiltration of data by detecting anomalous traffic out of a network or device, can also be used. Unfortunately, none of these techniques can guarantee protection against data theft. However, if there is a breach and such solutions are not in place, it will look much worse for the victimized organization.

Summary

This chapter was a very sobering chapter to write. The number and magnitude of breaches seem to continually get bigger and bigger. George Santayana, the Spanish philosopher, poet, and novelist, said, “Those who cannot remember the past are condemned to repeat it.” We hope the lessons from past breaches help you avoid following in the footsteps of the many companies featured in the preceding sections. If you are writing an application that contains or uses identity data, you have an obligation to protect that data. Unlike the game of golf, there is unfortunately no handicapping system to give beginners a break. If you are creating an application, you must follow security best practices for the coding, deployment, and environment of the application as well as people, processes, and partners involved in the project.

Furthermore, in today’s world, it’s not good enough to just implement security technology. You need to be able to demonstrate diligent adherence to security- and privacy-related policies and procedures, which is related to compliance, the topic of our next chapter.

Notes