A few weeks ago, an appointment scheduling solution, FlexBooker notified its customers that it had been breached.
Although Imperva has no specific insider knowledge into what happened during the breach, we can learn a lot from the breach notification. In this blog, we’ll review the content contained in FlexBooker’s data breach notification, and additional related sources, to endeavor to understand what happened. We hope to show why all organizations must have a solution in place that can apply security best practices, as well as establish what consists of normal behavior in the organization, and then find deviations from it.
According to FlexBooker’s notification to customers, “On December 23, 2021, starting at 4:05 PM EST our account on Amazon’s AWS servers was compromised – the breach occurred just before Christmas. Many people are taking this time off to be with their families and loved ones. It is easy to understand that an activity in an account when people are most likely not working or on vacation is a clear risk indicator.”
What we have learned from the organization’s notification
- The first key takeaway is that understanding the standard working hours/days in business organizations and deviations from it can help to detect a potential data breach.
The security notification also states, “After working further with Amazon to understand what happened, we learned a certain set of data, including personal information of some customers was accessed and downloaded.”
What we have learned from third party sources
According to “have I been pwned,” a service that tracks data breaches and leaked data, FlexBooker’s data breach exposed 3.7 million accounts including email addresses, names, phone numbers and for a small number of accounts, password hashes and partial credit card data.
The attacker was clearly after “juicy” information (i.e. sensitive personal data) and most likely had to look for it. One way that an attacker could have obtained this information is by accessing the database system tables to check for interesting columns, where the table is known to contain sensitive information.
- The second takeaway is that understanding where your sensitive data is and who accessed this information can help to detect a potential data breach.
- The third takeaway is that following security best practices and regulations to reduce permissions to access such sensitive data can help to prevent potential data breaches.
A data source containing user names and passwords is often used by applications to authenticate users or update their information. If the attacker gained access through a phishing campaign, as often happens, the data that is usually accessed by an application is now accessed by a different user – which may be a sign of a potential attack.
- The fourth takeaway is that understanding who usually access the data and detecting deviations can help to detect a potential data breach.
Assuming the attacker used a phishing campaign to gain access, if they did it through a compromised user that usually accessed, for example, 400k records at a certain time period (hour/day/week) and is now accessing ~10X the number of records, as the data breach was said to exposed 3.7 million accounts, then this would be another sign of a potential attack.
- The fifth takeaway is that understanding the standard usage of users in your systems and deviations from it can help to detect potential data breaches.
Although not all data breaches are the same, this data breach presents an opportunity to emphasize why organizations need to monitor access to their databases and should have a solution in place that is able to apply security best practices. This should include detection of sensitive data, permission reduction and learning regular behavior including typical working hours, typical type of data, and typical usage of data.
The value in analyzing communication about this breach is that it enables us to see what could happen when an organization’s breach detection posture cannot perform its most fundamental tasks, in a real-world situation. It doesn’t matter how comprehensive your orchestrated breach mitigation response solution is if you don’t have the foundation in place to recognize policy-violating behavior.
Ask yourself what would happen within your organization if an attacker used a phishing campaign, like the one described above, to gain access to your sensitive data. Can your breach detection capabilities function in a way that would enable you to quickly, and with confidence, identify policy violating behavior in its tracks while still enabling business as usual?
Imperva data security solutions can help you prevent and detect potential data breaches. For more information please visit https://www.imperva.com/
*** This is a Security Bloggers Network syndicated blog from Blog authored by Nadav Avital. Read the original post at: https://www.imperva.com/blog/five-takeaways-from-flexbookers-data-breach/