hacker data breach

In 2012, Prince William began a stint as a helicopter pilot in the Royal Air Force. Anticipating a PR opportunity, an official Ministry of Defense photographer was sent to take pictures of the Prince at work. A selection of photos was distributed to the press, but only after they were published did anyone notice that MoD network logons were clearly visible in them. This embarrassing breach of security turned a fluff piece on the Prince into a debacle, and the MoD was forced to immediately change many of its passwords.

The number of security lapses, though, was striking: 1) Don't share passwords; 2) Don't write the passwords down; (3) Don't post them on a wall; 4) Don't take pictures of where you posted them; 5) Don't publish those pictures in the newspaper. Bear in mind, too, that Prince William of the Royal Air Force (it is, ahem, his Royal Air Force) evidently did not notice a problem, nor did the other RAF staff present on the day, the official photographer, the Royal Family's PR team that vetted and distributed the photos, nor the editors of the various newspapers that chose to publish the pictures. A great many gatekeepers were asleep at the switch.

We laugh, of course, but if I were to tell you that he left Buckingham Palace unlocked and unguarded, with the Crown Jewels lying in plain sight in rooms toured by the public, the response would be very different. We have widely agreed-upon cultural norms guiding the appropriate level of protection for physical assets—keep valuables out of sight, lock the doors, monitor the comings and goings of others. We do not yet have the same protective instinct for assets that exist in the digital realm. This is the gap that hackers exploit to do us harm.

|

The Human Factor

The vast majority of data breaches are the result of the errors, oversights, or deliberate mischief of individual employees. Recent studies have variously attributed between 52 percent to 95 percent of all data breach incidents to human error or employee negligence. The figures differ because of different methodologies and different definitions of “human error,” but by any measure, the primary cause of data breaches is user behavior.

To see the potentially catastrophic effects from just a single user's oversight, consider the experience of Equifax. In early March 2017, cybersecurity analysts became aware of a security flaw in a software platform called Apache Struts, which was part of the technology used by Equifax in its customer support portal. The Department of Homeland Security sent out notifications alerting users to the vulnerability. Despite the warning, Equifax never installed the necessary patch. Several months later the firm was rocked by the disclosure that the personal data including names, birth dates, and Social Security numbers of almost half the population of the country had been exposed. The Chairman and CEO Richard Smith stepped down, and then went before Congress to offer his explanations. In his testimony on October 3, 2017, Smith said the incident was the result of a mistake by a single employee (flash cut to Steve Urkel: “Did I do that?”).

Instead of instituting a campaign touting “Only you can prevent data breaches,” however, the victim organizations and the press continue to foster a narrative of data breaches that emphasizes the frightening technological offense, rather than the humble human defense. The overall impression is that data breaches are the result of enemy nation states, hacktivists, organized crime, and other evil forces who have leveraged the skills of armies of young technologists to unleash unrelenting attacks on American businesses and their information assets.

Often forgotten in this story are the front line soldiers in this war, the actual users of information systems. They form the boundary between the organization's protected information system, and the outside world. Their behavior has direct and tangible effects on the security of that boundary.

Simple and inexpensive user behaviors could have diverted or prevented many of the most high-profile attacks. Not clicking on links in emails, not re-using passwords, deploying available tools like encryption and two-factor authentication, and running regular backups are relatively easy and inexpensive actions that, if they were simply more common and reflexive on the part of users, would have imposed significant barriers to the attackers in many of the most headline-grabbing recent incidents.

|

Today's Attacks

Phishing: The security consulting firm PhishMe reported in early 2016 that as many as 91% of cyberattacks originated as phishing attacks. Email represents an almost unavoidable point of vulnerability. For an organization to maintain communications with the outside world, there must be a way for outsiders to send messages to inside the organization. All it takes is for just one recipient of a phishing attempt to click on a malicious attachment or link to compromise an organization's IT security system. Once the bad guy is inside the gates, the quality of those gates is irrelevant.

This is how the Sony data breach began. In 2014, a group that self-identified themselves as “Guardians of Peace” sent spear phishing emails to top executives at Sony trying to entice them to provide their Apple ID information. The attackers reasoned, correctly, that some of their targets would be reusing the same passwords, and that the pilfered Apple ID could be used to log in to Sony's system. This worked, and the Guardians of Peace stole 100 terabytes of data and left a trail of digital destruction akin to salting the Earth behind them.

Password Health: Another way to protect credentials from exposure is to make sure they are not easily obtainable by other means (Such as not photographing them and sending them to the press). It has been said that you should treat your password the way you do your toothbrush—don't share it with anyone else, and change it often.

In October 2016, many marquee websites were temporarily taken down in a distributed denial of service attack that originated when hackers were able to take remote control of millions of networked devices for which the users had never changed the default passwords.

Multi-factor authentication: Two-factor authentication refers to the use of multiple attributes to establish a complete set of login credentials. Inputting a password or a PIN is a form of single-factor authentication (relying on something the user knows), whereas multi-factor systems require something the user has (such as a key fob or keycard), and/or something the user is (such as an eye scan or fingerprint).

In the summer of 2013, hackers compromised the systems of JP Morgan Chase, obtaining records on some 83 million household and small business accounts. According to some accounts, the breach was possible because the server in question did not have two-factor authentication installed, despite that being the norm for other Chase servers and systems.

Encryption: Strong encryption technologies are a last line of defense keeping data secure even after it has been improperly accessed. On March 16, 2017, a laptop was stolen from a Secret Service agent's car in Brooklyn. The computer contained floor plans and evacuation information for Trump Tower, along with other sensitive information. The device could not be tracked or erased remotely. The sole remaining protection against the unwanted disclosure of this information was the fact that the device was using strong encryption.

On October 22, 2017, FBI Director Christopher Wray revealed that due to the use of strong encryption, more than half of the mobile devices seized by law enforcement in 2017 could not be accessed or analyzed. The bad guys are already using this technology to shield themselves from investigators—the good guys might as well start taking advantage of the same protections.

Backups: In May 2017, the WannaCry “cryptoworm” attacked more than 300,000 computers in 150 countries, disabling access to essential data for a wide swath of organizations and institutions including healthcare providers, banks, and major transportation providers. The worm is basically a weaponized form of encryption, where the attacker deploys strong encryption on the victim systems but keeps the key hostage.

The “good news” is that criminals who use ransomware typically do release the keys upon payment of the ransom, but this is likely cold comfort for governmental agencies and police departments forced to turn over taxpayer money to criminals. The better news is that organizations with regular backups to offline systems could restore much of their data without paying the ransom. Unfortunately, few companies were in this position.

|

Outrunning the Lion

The old story goes that two men in the jungle spot a lion. One man starts lacing up his running shoes. The other asks, “Do you really think you can outrun a lion?” “No,” the runner replies, “I think I can outrun you.” There are determined attackers out there, with deep resources to launch coordinated, targeted, sophisticated attacks. Why make it easy for them?

David Kalat is Director, Global Investigations + Strategic Intelligence at Berkeley Research Group. David is a computer forensic investigator and e-discovery project manager. Disclaimer for commentary: The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.