Why Companies Keep Getting Breached

Cybersecurity breaches can strike anyone, any time, with no warning.  Often, a company or organisation doesn’t even realize a breach has taken place until months after the fact.  Even the largest companies, such as Yahoo, Sony, and JP Morgan Chase, with “top-of-the-line” network security are blindsided by a hack, resulting in a staggering loss of sensitive data or revenue (for more about real top-of-the-line security, see Security Done Different).  

Often, the security flaw in an organisation stems from simple oversight.  Sprawling networks with hundreds of endpoints present a host of potential vulnerabilities for attackers to exploit.  Other times, though, the attackers have come up with deviously clever workarounds to bypass the outer wall of a network, after which they are free to linger and snoop without being detected.  

The only bright side to these breaches is that they provide case studies we can learn from.  There’s no reason for organisations to be hacked the same way twice; if we want to gain an edge over the attackers, we need to learn from the mistakes of others, and ensure we don’t make the same ones.  With that in mind, we have compiled a few examples of large company breaches, broken down what went wrong, and come up with simple fixes to protect you from a similar attack.

Here’s who’s getting hacked, and what you can learn from them.

Yahoo

In late 2016, Yahoo released the staggering news that around 1 billion (yes, that’s 1,000,000,000) user accounts had been compromised in 2014, which means Yahoo, and Yahoo users, were the subject of the largest data breach in history.  Hackers got a hold of names, email addresses, security questions and answers, and a slew of other personal information.  The attackers then figured out how to log into user accounts using a cookie exploit, granting complete access to any account they targeted.  The only bright side to all of this is that users’ financial data (like credit card and bank account information) was stored separately from the personal data, and remained uncompromised.  That being said, the hackers were able to search the body of private emails for financial information, send phishing emails from private accounts, and spam not only Yahoo email addresses, but also the recovery addresses associated with Yahoo accounts.

So how did the hackers do it?  Unfortunately, we can’t be completely sure how they initially breached Yahoo’s security, but Malcolm Pilmore of the Silicon Valley office of the FBI has a good guess.  Pilmore stated the breach was probably initiated by “spear-fishing” a Yahoo employee with a moderate amount of network access.  “Spear-phishing” is when an attacker sends an email that looks like it is from a trusted source, and requests private information from a user.  The Yahoo employee was fooled, and the attackers had their in.

Later, the hackers used the data stolen from the network, specifically unique account IDs (called “nonces”) and some proprietary Yahoo software which created post-authentication cookies when given a nonce.  Using these cookies, the hackers’ browsers became indistinguishable to Yahoo servers from valid, authenticated browsers requesting an auto-login.  The attackers could then log in to any Yahoo user account, and they accessed some 6,500 accounts before they were apprehended.  And so went the largest, most successful, most privacy-destroying hack in history.

Of course, this hack (or at least this method of attack) could have been thwarted if the employee hadn’t fallen for the spear-phishing email.  It is vital that employees, especially those with privileged access, are familiar with cybersecurity attacks which may use them as a pawn, such as phishing.  It’s also not a bad idea to institute company policy against requesting or sending sensitive data, such as passwords, via email.

Sony

Sony was devastated by a hack in late 2014, and film production schedules, sensitive financial documents, personal emails, passwords, source code, SQL databases, and more were published online by the hacker group claiming responsibility, Guardians of Peace.

Sony’s security had two major defects. First, and somewhat surprisingly, they had shoddy physical security; that is, the hackers simply walked into Sony headquarters, and thus were able to launch an attack from the inside.  Being inside can give the attackers a huge advantage, as network connections made through ethernet ports inside an agency are often considered trusted and secure by default.  In this case, however, the hackers stole the password of someone in the IT department, which granted them systemwide access and allowed them to install malware on the network.  Then, they walked back out, and some malware they installed handled the rest, stealing additional passwords, accessing and possibly destroying data, and transmitting stolen information back to computers controlled by the Guardians of Peace hackers.

So, the obvious solution is that Sony should have had physical security in place.  Maybe employee checks at the door, or key card locks blocking to access to areas with company computers.

There’s another, less obvious flaw in Sony’s systems; Sony should have had layers of protection in place in the case of a breach.  Basically, the hackers needed to get onto the network… and that’s it.  After the initial breach, they were effectively home free.  Strong security practice includes many levels of fail-safes.  In other words, assume your prevention-based security will eventually fail, and have additional security in place preventing anyone on the network from installing new programs, for instance.

JPMorgan Chase

JP Morgan Chase, America’s largest banking institution, was hacked in the summer of 2014.  It’s hard to hold them entirely responsible for the attack; it turns out the attackers were well-versed in cracking banks, having pulled off similar attacks on nine other banks around the same time.  However, what with JP Morgan Chase spending $250 million USD per year on cybersecurity, one would hope they would be protected from such attacks.  And it’s possible that, had all security measures been implemented correctly, they would have been safe.  As is so often the case, the security team made a small oversight, and it was enough to allow access.

Most banks use multi-factor authentication when accessing servers.  Multi-factor authentication requires a user to provide multiple identifiers before access is granted.  These identifiers are either something a user has (a card or key), something a user knows (passwords, PINs, security questions, etc.), or something a user is (as detected by biometric scanners).  Two-factor authentication (requiring two of these three) is common, and was in use at JP Morgan Chase.

Except they overlooked a server.  During the update to two-factor authentication, one server went unnoticed, and it was through this server the attackers gained access.  This attack demonstrates a critical point: even the best cybersecurity program will fail if it isn’t implemented properly.  While we can’t be sure the attack would have been prevented had this server been updated, it would have meant the attackers needed to find a way through the $250 million wall surrounding JP Morgan Chase’s network.  For large organisations with hundreds of endpoints, meticulousness is crucial to remain secure.  It might sound like a drag, but a security team needs to triple-check every access point to prevent errors like an outdated server leaving them vulnerable.

So there you have it.  Three organisations, three lessons.  One, don’t reply to fishy (or phishy…) emails or send sensitive data through email.  Two, ensure only authorized individuals can access company computers and areas, and that only highly authorized users can make changes.  Three, check, check, and check again; everybody makes mistakes sometimes, so meticulousness is required to make sure all the mistakes are caught before they are an issue.

Of course, this is only a small number of huge organisations that have been breached in the last 5 years.  Others include Target, Ebay, Anthem, Adobe, and the US Military, to name a few.  Next time you hear about a breach, do some research into how the attackers did it.  Every breach is a new lesson, and every lesson makes you more secure.

The biggest flaw in the security practices of all these companies was a narrow focus on prevention-based security.  To read more about security best practice, check out The 3 Pillars of Cybersecurity.

 

Tags: No tags

Comments are closed.