Alert icon Keyboard navigation enabled.
Alert icon TAB or Shift+TAB to navigate across. Down ↓ to open menu. ESC to close menu.
Alert icon Down ↓ to select section. Right → to activate. Up ↑ / Down ↓ / Tab to traverse all. ESC to exit.
BeyondTrust
Skip to content Use space or enter to skip.

What can we help you find today?

Instant Results
  • Website Results
  • Technical Documentation

Filter Options

Focus your search

Filtering by

Your recent searches:

Contact Us Chat with Sales Get Support
  • English
  • Deutsch
  • français
  • español
  • 한국어
  • português
  • Home
  • Resources
  • Blog
  • What Lessons Can We Learn from the Verizon Data Breach Digest? Part 2 current page
Link copied

What Lessons Can We Learn from the Verizon Data Breach Digest? Part 2

Mar 28, 2016
Author:
Rod Simmons
Director Product Management, BeyondTrust
Blog banner default
What Lessons Can We Learn from the Verizon Data Breach Digest? Part 2
Rod Simmons
Director Product Management, BeyondTrust

Verizon Data Breach Digest

Mitigating the risks of privileged insiders and third parties

This is the second in our series of blogs summarizing lessons learned from analysis performed in the Verizon Data Breach Digest (DBD). The last blog in this series discussed how using least privilege and application control can help combat social engineering. Today’s blog addresses the risks of privileged users – insider or partners. Make sure to read the entire Verizon DBD – it’s an excellent source of trend and forensic data related to breaches.

Insider threat - the Rotten Apple (pages 22-25 in the DBD)

What Happened A company was going through a buyout and using retention contracts to prevent employees from leaving. Tips lead them to believe someone was accessing the CEO's email account. It turned out they were logging all of the CEO’s email on a SPAM filter. An IT admin permitted another user to logon with his credentials to the SPAM filter. Privileged credentials were also used to access file shares. Recommendations & Lessons Learned
  • Company revisited policy on logging emails
  • Storage of credentials in a password and session management system would have required a checkout request for the SPAM filter’s credentials and recorded access through a managed session.

Partner misuse – the Busted Chain (pages 26-29)

What Happened An unusual pattern of payment card fraud was detected for a customer that runs gas stations. The pattern started at a single gas station but spread to more stations within a month's time. Several more locations matched the fraud patterns analyzed during the investigation. Traps were set up to alert if certain conditions were met, and shortly alert was triggered. What was discovered was the vendor which was contracted for IT and POS support was connecting to the payment processing server. Once connected they:
  • verified no one else was connected
  • pushed the system clock forward two years
  • modified a configuration file to enable verbose debugging on the payment application
  • created an output file to capture text copies of authorization requests
  • terminated the session with the clock being changed back to correct date and time
The remote sessions were confirmed to have come from the vendors support center, so the focus of the research was on that location. It was identified that a single person at the vendor’s help desk team was the threat actor. Recommendations & Lessons Learned
  • Vendors must ensure their partners have implemented and are enforcing security practices
  • Vendor used shared logins
  • Two-factor authorization was not used for remote access to POS systems

USB Infection – the Porta Bella (pages 31 – 34 in the DBD)

What Happened After returning from a conference, a film industry executive received an envelope that looked like it was from a production company. The envelope contained correspondence on company letterhead and a branded USB flash drive. The letter requested that the executive review the press kit contained on the drive. The executive inserted the USB flash drive into his laptop system and opened an executable file. Upon execution, the executable file did two things: It played a trailer for an upcoming movie from the production company, and it silently installed malware on the system with the aim of stealing an unreleased movie. Recommendations & Lessons Learned
  • Expand access to security intelligence and connect that intelligence with other sources
  • Ensure that endpoint security solutions are installed and running with the latest definitions
  • Limit user’s credentials on all corporate-owned assets

How BeyondTrust could help mitigate the effects insider threats and partner misuse

In cases like Rotten Apple and Busted Chain, a shared logon is not a huge issue provided you protect the account inside a privileged password and session management solution like PowerBroker Password Safe. This provides accountability as to who is using the shared account and when. For partners and other third parties, proxy the connection to systems providing accountability around usage of the shared account. To address the least privilege issue in Porta Bella, PowerBroker for Windows would remove administrative rights on end user accounts, using policy to dictate what applications can run with higher privileges. Operating under a least privilege model and application control and integrating threat intelligence from multiple sources would provide a clearer picture of risk. Watch for more blogs coming in this series in the next few days. In the meantime, if you’re combatting privilege misuse, contact us today!
Latest Posts
  • 14 Password Management Best Practices
    May 28, 2026 14 Password Management Best Practices
    Blog
    12m
  • A Security Researcher’s Guide to Understanding Copilot Studio AI Agents
    May 26, 2026 A Security Researcher’s Guide to Understanding Copilot Studio AI Agents
    Blog
    3m
  • How to Secure Cloud-Native Infrastructure at Scale and Speed: A Conversation with Madhu Adireddi
    May 21, 2026 How to Secure Cloud-Native Infrastructure at Scale and Speed: A Conversation with Madhu Adireddi
    Blog
    5m
  • Cybersecurity as a Boardroom Priority for Major African TelCos
    May 12, 2026 Cybersecurity as a Boardroom Priority for Major African TelCos
    Blog
    8m
  • Geopolitics and Cybersecurity: Why Attackers Go After Identities and Privileged Access First
    May 11, 2026 Geopolitics and Cybersecurity: Why Attackers Go After Identities and Privileged Access First
    Blog
    4m
Related
  • Stuxnet? Night Drag0n? Nope,You Got Pwned by a Printer.
    Sep 7, 2011 Stuxnet? Night Drag0n? Nope,You Got Pwned by a Printer.
    Blog
    1m
  • Addressing Identity and Privilege Management Issues in the Cloud
    Oct 25, 2017 Addressing Identity and Privilege Management Issues in the Cloud
    Blog
    1m
Share this Article
  • Link
Stay up to Date
Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

Keep up with BeyondTrust

Customer Support Get Started
  • LinkedIn
  • X
  • Facebook
  • Instagram
  • Add BeyondTrust as a preferred source on Google
  • Privacy
  • Security
  • Manage Cookies
  • Do Not Sell My Data
  • WEEE Compliance

Copyright © 2003 — 2026 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

Prefers reduced motion setting detected. Animations will now be reduced as a result.