2015 #InfoSec in review. We get a big fat “F”

We are stewards of our customers data and need to do better. <OPINION> I would give us a big fat “F” for data security in 2015.</OPINION> What happened and what needs to be improved? We saw weak passwords, lack of encryption, malware and social engineering over and over again. One very sad aspect of these attacks is once the system was compromised, the attack went on for months, even years prior to the attack being uncovered. So again we really need to do better, reading the logs, doing analytics on system behavior and locking down the data.

High level the attack vectors have not changed much over the years. Malware payloads are still being delivered by drive by downloads and infected emails. Businesses and medical groups are still leaving sensitive data unencrypted, trusted insiders can still get to sensitive information. We are also seeing encrypted connections being made to unknown servers and allowing that traffic to go through our firewalls.

I’m going to do my best to keep my opinion clear by using the <OPINION> </OPINION> tags so you know what my personal opinion is. I’m also not going to go through every attack that happened in 2015. In here I will also let you know what I think should / could have been done to mitigate the attacks.

1) IRS Data breach

In IRS’s effort to make things easy for users to access their data they exposed very sensitive tax and financial data to hackers. Over 100,000 people were compromised with this system and $50,000,000 is false tax refunds have been stolen from the US Government.

When we design systems, one of the top requirements we have are user experience. If we make it to hard to access the systems they will not be used, make it to easy and the data can be compromised. We need to weigh the value of the data with user experience. The users expect their information to be respected and protected.

2) OPM data breach

The OPM hack impacted me personally along with my wife. The impact was over 22 million people had full background and biometric information leaked to a foreign intelligence agency. I watched the congressional hearings and was very disappointed by the <OPINION>incompetence of the people </OPINION> testifying. The Director of OPM resigned but <OPINION> the CIO of OPM should have been walked out the door. </OPINION> it was her job to make sure this information was secure. I still don’t know why this information was not stored on the classified network as it should have been. <OPINION> As an added insult, the government is offering two years of credit monitoring. As if a foreign intelligence agency is really interested in taking out credit cards in our names. The big threat is we are now at risk for blackmail. </OPINION>

The OPM breach was malware that was making encrypted connections to unknown servers. This is a case where black listing IP’s would not work, but white listing connections would work. Sensitive data should only be transmitted over trusted paths and <OPINION> if encrypted connections are being made, then those connections should be treated as sensitive. </OPINION>

3) UCLA Medical

UCLA Medical lost 4.5 million records of unencrypted patient data including PII and medical information. There is no excuse to not encrypt sensitive data. I still hear the old excuse of there is a performance impact of encryption. With the availability of hardware encryption modules, this argument does not hold water.

After encrypting data, we still have to be careful about ghost data and data leakage. A DBA can still run database pump and get an unencrypted copy of the data then copy that data to another location. We do this all the time to refresh an environment. Controls need to be placed on data pump copies so any information that is exported from the database will stay encrypted and the location of those copies are known. When moving data from unencrypted to encrypted, all ghost data must be shredded.

4) Ashley Madison

This one did not really interest me very much other then the disrespect Ashley Madison showed their customer base. This hack ruined some reputations and exposed a large number of people to blackmail. Yes credit card numbers were encrypted, but geolocation and email addresses was not encrypted. <OPINION> The large number of people who used their work and government email addresses was shocking. These people who are so blind to opsec deserve to be caught. </OPINION>

5) Hyatt

Just recently we learned about the Hyatt payment processing data breach. Not much is known at this time other then malware sent encrypted data to an unknown server. This is yet another case of needing to have a trusted path for sensitive data by using white list and denying access to any unknown IP address.

6) Trump Hotels

Trump Hotels, in a year long campaign, credit card and security code information was stolen from customers of Trump properties. I’m going to keep beating this drum, you need a trusted path from point of sales to the processing database, so <OPINION> implement white lists and deny any encrypted traffic to unknown ip’s.</OPINION>

7) T-Mobile and Experian

T- Mobile placed their trust in Experian and suffered a massive breach of 15 million customers full name, social security number and date of birth and some passport numbers. In this case no payment card data was compromised. Yet this is still enough information for identity theft. Not a lot of information has been provided on the attack vector used.

In December 2013 T-Mobile suffered another data breach with vendor Decisioning Solutions that is owned by Experian. In both of these cases, T-Mobile is offering credit monitoring through ProtectMyID that is owned by Experian. <OPINION> Why does T-Mobile continue doing business with Experian? </OPINION>

This is not an exhaustive list of breaches for 2015.

8) VTECH

VTECH the toy manufacturer exposed data on 4.8 million customers due to password insecurity.

9) Securus

Securus lost 70 million call logs and recorded conversations of people in prison. These recordings also included attorney client privileged conversations.

10) FBI

The FBI LEO Portal was hacked, the attack vector and damage is still classified.

11) Scott Trade

Scott Trade lost data on 4.6 million customers under a two year campaign. Krebs on Security reported that the data was used for stock scams.

12) Excellus Blue Cross Blue Shield.

Excellus Blue Cross Blue Shield lost data on 10 million customers. The attack started in 2013 and was not discovered until 2015.

13) Anthem

Anthem lost data on 78.8 million customers. I have read the count was actually 80 million customers and 19 million rejected customers.

14) Anonymous vs ISIS.

I only add this because of the interest in ISIS. After the Paris attacks Anonymous started OpParis that is turning into a interesting game of wack a mole. Anonymous is using brute force to shut down ISIS controlled accounts and servers. The results are debatable, <OPINION> it would be better to allow some of the systems to stay online to gather intelligence on ISIS. By shutting them down you are forcing them onto the dark web where it’s harder to gather intelligence.</OPINION>

<OPINION> Sadly, many times after a breach the offending company offers one year or two years of credit monitoring. The customer will be exposed for the rest of their life. Two yours of credit monitoring is wholly inadequate./OPINION>

What do we need to do.

  1. Secure the data. Encrypt data at rest so if the data is compromised then it will be useless to the criminal.
  2. Encrypt the data on the network when there is sensitive data going through it. Man in the middle attacks happen.
  3. Build trusted paths for sensitive information. All sensitive information must go through that path.  If an encrypted session is being built to an unknown server, deny that connection.
  4. Secure the parameter. We are letting encrypted traffic go to unknown servers. This has to stop by using white list. If a workstation or node can process sensitive data, then that workstation or node should not be able to access unknown servers.
  5. Secure programming practices. I still see first hand sloppy programming that is vulnerable to sql injection. Organizations must impalement secure coding practices with code reviews that also include looking to vulnerability. A couple months ago, I came across a piece of code that was vulnerable to sql injection, when I brought it up to program management I was told, going back to fix the problem would put the program behind schedule, move forward and we will fix it after going production. <OPINION> This is the wrong attitude. </OPINION>If the program had standards in place before coding started, then the problem would not have gotten as far as it did.
  6. Secure the data from trusted insiders. I wont get into the political issues of Bradly Manning or Edward Snowden. Both of them were vetted and had access to sensitive information, they broke their trust and stole information that did incalculable damage.
  7. Routinely review audit logs to look for unusual behavior. I’m still seeing audit logs get ignored until there is a problem. Products like Oracle Audit Vault, brings all of your audit into one package where you can create BI dashboards to find out when something is happening that is outside of the norm.
This entry was posted in Database Stuff, infosec and tagged , . Bookmark the permalink.

Leave a Reply