The NSA Hack Proves that Much More Needs to Be Done to Protect Enterprise Data

In the hit USA Network series Mr. Robot, a rogue group of hacktivists target major corporations and the government. In a recent episode, the group enlisted the help of a malicious insider to hack the FBI. Sound far-fetched? Maybe not: Around the same time this episode aired, an anonymous group of hackers known only as the “Shadow Brokers” leaked 300 megabytes of information from the U.S. National Security Agency (NSA).

The NSA hack compromised highly sophisticated hacking tools used by the spy agency to conduct cyber espionage, including zero-day vulnerabilities that can be exploited to breach corporate firewalls. The Washington Post reports:

The file contained 300 megabytes of information, including several “exploits,” or tools for taking control of firewalls in order to control a network, and a number of implants that might, for instance, exfiltrate or modify information.

The exploits are not run-of-the-mill tools to target everyday individuals. They are expensive software used to take over firewalls, such as Cisco and Fortinet, that are used “in the largest and most critical commercial, educational and government agencies around the world,” said Blake Darche, another former TAO operator and now head of security research at Area 1 Security.

The NSA hack has rattled the nerves of cyber security professionals across the nation and around the globe. Not only was one of the most secure systems on the planet compromised, but the release of elite hacking tools and a list of existing vulnerabilities has put numerous private-sector corporations at risk – including at least two major cyber security providers.

It is widely believed that the Shadow Brokers are Russian nation-state hackers, but this theory has not been proven, nor does anyone know how they managed to get their hands on the NSA’s hacking toolbox. However, since nearly all data breaches result from the misuse of legitimate login credentials, the leak very well may have originated from within the NSA, either through a malicious insider (as portrayed in the Mr. Robot story arc) or through a careless or negligent employee clicking on a phishing link or sharing their password.

The NSA hack also has everyone asking, if a covert government spy agency’s data isn’t safe from hackers, what about everyone else’s? So far, 2016 has seen, among other major cyber security incidents:

• Numerous ransomware attacks on the healthcare industry, including the infamous Hollywood Presbyterian attack
• An epidemic of tax data spear phishing schemes, including one that compromised an NBA team
• The hijacking of the SWIFT Network bank messaging system by a team of international cyber bank robbers
• The Wendy’s POS data breach, which resulted in a class-action lawsuit against the fast-food chain
• A former St. Louis Cardinals employee being sentenced to prison for hacking the Houston Astros – using crude techniques to get past weak cyber security barriers
• Information security providers themselves being compromised due to the NSA hack

What’s next? It can be scary to think about. The hacks just keep coming, and both public and private sector organizations in all industries seem ill-prepared to defend against them.

However, now is not the time to panic. Instead, the NSA hack should be a wake-up call for organizations to reevaluate their information security procedures from top to bottom. A cyber security plan is never “finished.” It must be continuously reassessed and rewritten as new technologies and threats emerge. Further, a proactive approach is always better than reacting after a breach has happened. The NSA hack did not have to happen, and neither did any of the other hacks mentioned above. Proactive security measures, from employee training to network monitoring, could have prevented all of these hacks.

Today’s information systems are increasingly complex, and so are cyber attacks. Unless you are an expert in the industry, you’re probably struggling just to wrap your head around it, and you’re not alone. Many organizations simply do not have the resources to handle all of their cyber security needs in-house, and they find that attempting to do so leaves them with security vulnerabilities while taking away time and resources from their core competency.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure its systems and keep hackers out.

[bpscheduler_booking_form]

PCI DSS compliance is serious business for anyone who processes or accepts major payment cards. Retailers or payment processors who are found to be in violation of PCI DSS can be fined millions of dollars, and they may even be stripped of their ability to accept major credit cards.

However, PCI DSS compliance standards are highly complex, and achieving compliance can be an expensive, tedious process. Not surprisingly, many organizations – already facing budget and staffing constraints – feel that once they have achieved compliance with PCI DSS, they have done everything they need to do to secure their customer data. Their cyber security begins and ends with PCI DSS compliance.

After these same organizations are breached, their spokespeople often tell the media (and the cyber security firms they hire to clean up the mess), “We have no idea how this could have happened. We were compliant.”

PCI DSS Compliance Alone Does Not Guarantee Data Security

While PCI DSS compliance reduces the risk of data breaches, it does not eliminate them. Both Target and Home Depot were compliant with PCI DSS when their POS systems were breached, exposing tens of millions of consumer credit card numbers. Target had just gotten its PCI DSS compliance certification only two months prior to the hack.

Unlike HIPAA, the healthcare compliance standard that is heavy on documentation and procedures and light on technical specifics, PCI DSS goes into quite a bit of detail regarding best practices that retailers and payment processors must adopt. For example, PCI DSS compliance requires changing default passwords on system components. However, all of these technical details can provide organizations with a false sense of security. PCI DSS does not cover every single security measure every organization must take to protect its data, nor could it do so. Technology is advancing too quickly for any set of standards to keep up. Mobile technology, cloud applications, and Internet of Things (IoT) devices are exploding in popularity, and with each new application and gadget comes a whole new set of vulnerabilities for hackers to exploit. By the time a new set of technical standards was issued, they’d already be out of date.

PCI DSS also cannot address the specific risks in every data environment at every organization, and it cannot account for the weakest link in every organization’s cyber security: its people. Human error, negligence, and purposeful malicious activity account for nearly half of all data breaches. That’s why social engineering techniques are so popular among hackers. An organization can be PCI DSS compliant – and then, an employee clicks on a link in a spear phishing email and inadvertently unlocks the front door to the company’s system.

Customer Data Security Begins, But Does Not End, With PCI DSS Compliance

PCI DSS compliance and data security work together to protect your organization’s data. A compliant organization has the foundation to build out a cyber security plan that addresses the specific risks in its data environment. At the same time, a proactive cyber security plan helps organizations achieve and maintain compliance.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization.

[bpscheduler_booking_form]

Baseball may be America’s favorite pastime, but from the Black Sox scandal to Pete Rose to the “Steroid Era,” cheating schemes have long tarnished the game. Sadly, it was only a matter of time before cheating went high-tech. Former St. Louis Cardinals executive Chris Correa has been sentenced to 46 months in prison for violating federal hacking laws after breaching the Houston Astros’ database and stealing proprietary information such as scouting reports and trade negotiation notes. Although the MLB claims that it appears Correa acted alone in the Houston Astros hack, it is launching an internal investigation into the Cardinals organization and may sanction the team.

How and Why the Houston Astros Hack Happened

Most data breaches are not the result of hackers finding “backdoors” into systems; they are due to hackers getting hold of stolen login credentials, obtained either through a phishing scheme or by taking advantage of employee carelessness, such as employees using weak passwords or writing login credentials on sticky notes and leaving them in plain sight. The Houston Astros hack was the fault of simple carelessness on the part of a new employee (identified only as “Victim A” in court documents) whose previous employer was the Cardinals organization.

When Victim A left the Cardinals to take a job with the Astros, he was told to return his work laptop, including its password information, to Correa. Correa got the idea to try to use this same password, and a few variations of it, to see if he could use it to access the Astros’ database, which was nicknamed “Ground Control.” Correa was right; the employee had chosen a nearly identical password for use in his new job, and Correa was able to use it to walk right in the front door of Ground Control.

Eventually, the Astros updated the Ground Control system, thus changing the login credentials, but that was only a bump in the road for Correa. The password still worked for the employee’s email account – and the Astros had emailed new default login information to all employees.

How Could the Astros Have Prevented the Breach?

The Houston Astros hack resulted from poor cyber security practices on very basic levels:

• Weak passwords chosen by the employee and used on multiple systems. No matter how many times people are told to use strong passwords, change them frequently, and not use the same passwords for multiple systems, most people simply don’t take this warning seriously. For this reason, organizations should not allow employees to choose their own passwords. They should be assigned strong passwords for each system, and the system should require that they be changed periodically.
• Not requiring multi-factor authentication to access sensitive data. A user name and strong password may be fine for an email account, but systems that contain sensitive information should require multi-factor authentication for access.
• Sending default login information through email. The Astros should not have sent employees new Ground Control login credentials through email; instead, the login credentials should have been given to employees in hard copy, and the system should have been set up to require that the credentials be changed as soon as the employee logged in for the first time.
• Not monitoring networks for anomalous activity. Correa was lurking around in Ground Control for well over a year before he was discovered, and that only happened because confidential trade information was leaked online. Had the Astros been monitoring their system, they may have noticed user activity that deviated from baseline norms, such as the user logging in from an unusual location.

Correa’s plea deal estimates that the Astros lost $1.7 million to this breach. Regardless of whether the MLB decides to take action against the Cardinals organization, the Astros need to take a hard look at their information security practices – and other organizations should learn from the Astros’ very expensive mistake. Proactive security measures that prevent cyber attacks are always cheaper than reactive cleanup after a breach has occurred.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization.

[bpscheduler_booking_form]