Key takeaways from the wellspring of newly disclosed breaches
In the past week, at least three corporate security breaches have made headlines. Given its massiveness the Under Armour’s MyFitnessPal app breach is most notable, as it left approximately 150 million user accounts compromised. That’s comparable to the Equifax breach.
Soon after, news broke that a security breach had potentially compromised millions of Saks, Lord & Taylor payments cards. Only hours later, KrebsOnSecurity reported that the leaky website of PaneraBread.com left millions of user accounts vulnerable.
After the Saks, Lord & Taylor breach, the notorious hacker group Fin7 released its newest batch of compromised records, BIGBADABOOM-2, putting more than 5 million credit cards up for purchase on the dark net.
With each breach, millions upon millions of user accounts are compromised, suggesting that companies aren’t getting security right. More to the point, they reveal the gaps in corporate security. Using insecure crypto tools or no encryption at all are far cries from the layers of security that today’s organizations need.
It’s been said, almost ad nauseum, that there is no silver bullet in security. Unfortunately, when these breaches occur—and they are happening more frequently—they reveal that many corporations take a “silver bullet or bust” approach to securing the data they collect.
Completely Off Target, or Slightly Off the Mark?
Here’s what we know: Krebs noted that, “The data available in plain text from Panera’s site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com.”
Despite researcher Dylan Houlihan reporting the problem eight months ago, data was still leaked in plain text, and “the records could be indexed and crawled by automated tools with very little effort.”
Gemini Advisory LLC estimates that the Saks, Lord & Taylor hackers began stealing the card numbers in May 2017.
However, the MyFitnessPal app was breach in February 2018. The company detected the breach in late March and shared the news with users only days later.
Unlike the two more recent breaches, the time from intrusion to detection for Under Armour was weeks, not months, which suggests that the company employed detection tools to minimize dwell time. Additionally, no payment information was compromised in the Under Armour breach because that data is collected and stored separately.
So, when we look at the security strategies‚or lack thereof—across these three breaches, it becomes clear that Under Armour had a security strategy to protect the data it collects. To the company’s credit, most of the passwords were hashed with bcrpyt, though the data that wasn’t hashed was encrypted with SHA-1.
“Unfortunately, using only SHA-1 for usernames and email addresses is a problem,” said Terry Ray, CTO of Imperva. “For one, there are billions of already decrypted SHA-1 hashes freely available on the web, and cracking a new one doesn’t take too much effort.”
Despite it being a weaker hashing function, SHA-1 was still used as a protection tool. Rather than protecting some of the passwords with bcrypt, why not forego the less secure encryption tool and protect all passwords with bcrypt?
Protecting Beyond the Perimeter
In fact, it’s more than user passwords that need to be protected. What these breaches teach is that an application’s popularity is a good indication of how attractive a target it makes for cyber attackers. The more data available, the more an attacker has to gain. That’s why organizations need to be thinking about a layered, defense in-depth approach to protecting user information across the extended network. Encryption alone is not enough.
But data should be encrypted. Companies should continue to defend the perimeter, but prepare for mobile security threats as well. While no organization is impervious to an attack, Under Armour was wise to segment its networks.
The cybercriminals in both the PaneraBread and Saks, Lord & Taylor breaches were able to sit undetected on their networks for several months. It’s wise, then, that companies invest in detection tools that minimize the downtime when an intruder does gain access to critical information. Also, companies should implement two-factor authentication, web application firewalls and user access controls to further minimize risk.
Organizations that haven’t moved beyond protecting the traditional perimeter to build a modern security strategy that can protect against internal and external threats are off the security mark and likely ripe for risk. That means they have some catching up to do.
Where do you, as a company, start? Begin where you are. Start by knowing what you are protecting. Then get a clear understanding of what tools you have in your environment and how users are accessing the network to get the information they need to perform their business tasks. Build layers to your security controls with reliable tools that address your business specific risks.
One strategy to building layers into your security program is to think like a criminal trying to attack your organization. Shifting your perspective from defender to attacker can help you to better safeguard against lateral movement from various points of entry. Then you can invest in the right collection of security tools that work in harmony in your environment.