[BreachExchange] What CISOs Can Learn From Big Breaches: Focus on the Root Causes

[Destry Winant]

https://www.darkreading.com/vulnerabilities---threats/what-cisos-can-learn-from-big-breaches-focus-on-the-root-causes/a/d-id/1340366?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Address these six technical root causes of breaches in order to keep your
company safer.
There have been dozens of mega-breaches in the past decade and over 9,000
reported breaches. Unsurprisingly, many breaches are unreported, as shown
by credential dumps available on the Dark Web of which a breached
organization may be completely unaware. What's going wrong? Why haven't we
been able to stop these breaches?

In past years, we've seen a plethora of security compliance standards rise
— PCI, ISO 2700x, NIST 800-53, HIPAA, and others — which require hundreds
of checkboxes to be addressed. However, most breached organizations have
been compliant at the time the breach occurred. While compliance brings
many advantages for helping organizations get more secure, it isn't
sufficient to prevent most breaches.

The primary reason these incidents take place so often is that, as an
industry, we haven't been focusing on the root causes of breaches. From my
analysis of mega-breaches and thousands of other reported breaches, there
are six "technical" root causes that must be addressed, which are:

Phishing/Account Takeover
Phishing was used in many mega-breaches, including those at Yahoo
(disclosed in 2016) and Anthem (disclosed in 2015). Even as recently as
last year, Verizon reported in its "Data Breach Investigations Report" that
phishing was still responsible for 25% of breaches.

Malware
Malware was a key tool used by the attackers in the Marriott breach,
disclosed in 2018. The Marriott breach occurred because of its acquisition
of Starwood Hotels, where malware was used to compromise its environment
four years before the acquisition and had gone undetected for that time
period.

Software Vulnerabilities
Both first-party and third-party software vulnerabilities, respectively,
were responsible for the 2018 Facebook "View Profile As…" breach and the
2017 Equifax breach. In the Facebook breach, a sophisticated set of three
vulnerabilities came together to allow attackers to compromise tens of
millions of access tokens for Facebook accounts. In the Equifax breach, an
unpatched Apache Struts server was exploited to allow attackers to execute
code of their choice on the vulnerable server, and the vulnerability was
used to make an initial compromise. Although the Apache Struts
vulnerability was widely publicized, there was also a SQL injection that
was leveraged within the environment to exfiltrate sensitive data out of
one of Equifax's databases.

Third-Party Compromise or Abuse
Third-party compromise was also a root cause in many hacks and breaches,
including the recent SolarWinds hack disclosed in December 2020 in which
SolarWinds was leveraged as a third party to target many of its customers,
including nine government agencies and approximately 100 private sector
companies. However, third-party compromise is far from new and was a root
cause of the Target and JPMorgan Chase breaches in 2013 and 2014,
respectively, in which a heating and air conditioning company and a website
management company allowed the initial infiltration in the networks.

Unencrypted Data
Unencrypted data has been a root cause in thousands of breaches in which
unencrypted portable devices are lost or stolen, or physical loss of
unencrypted media has taken place. When a consumer's name and a sensitive
identifier about that consumer is lost or stolen and that data is
unencrypted, breach notification laws are triggered and reporting to a
state attorney general occurs.

Inadvertent Employee Mistakes
Finally, inadvertent employee mistakes (aside from responding to phishing
emails, which is prevalent enough that it deserves its own category) is
also a root cause of many breaches.

How can one address the root causes of breach? Although a full answer to
that question is well beyond the scope of this article, there are some
gold-standard defenses that can be employed.

A good first step is leveraging hardware security keys (such as YubiKeys),
which are effective in eliminating phishing and account takeover. After
Google deployed hardware security keys in 2017, it has experienced no
successful phishing attacks to date even though the company is regularly
targeted by nation-states. Anti-malware defenses that heavily deploy
artificial intelligence have been extremely effective at detecting
previously unknown ("zero-day") malware.

Putting a vulnerability management process in place that uses multiple
scanners, automated ticketing that prioritizes vulnerabilities that are
actively exploited in the wild, and technical verification via rescan when
staff claims that vulnerabilities have been fixed will solidly protect an
organization against known software vulnerabilities. Aegis is an example of
a novel open source framework that supports a robust vulnerability
management approach. Using observability tools can identify previously
unknown vulnerabilities in new code, leveraging a modern development model
in which security testing does not happen only at certain development
stages, but new code is continuously monitored as it is getting developed,
up through its launch into production.

It has been said that "complexity is the enemy of security." Compliance
standards are complex and have hundreds of checkboxes to satisfy, but they
aren't helping to prevent mega-breaches. We need to simplify if we are to
succeed by focusing on the six technical root causes of breaches and
deploying scientifically effective countermeasures that focus on those six
specific causes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210324/a82131c4/attachment.html>