Verizon Data Breach Digest

Mitigating the risks of privileged insiders and third parties

This is the second in our series of blogs summarizing lessons learned from analysis performed in the Verizon Data Breach Digest (DBD). The last blog in this series discussed how using least privilege and application control can help combat social engineering. Today’s blog addresses the risks of privileged users – insider or partners. Make sure to read the entire Verizon DBD – it’s an excellent source of trend and forensic data related to breaches.

Insider threat - the Rotten Apple (pages 22-25 in the DBD)

What Happened A company was going through a buyout and using retention contracts to prevent employees from leaving. Tips lead them to believe someone was accessing the CEO's email account. It turned out they were logging all of the CEO’s email on a SPAM filter. An IT admin permitted another user to logon with his credentials to the SPAM filter. Privileged credentials were also used to access file shares. Recommendations & Lessons Learned
  • Company revisited policy on logging emails
  • Storage of credentials in a password and session management system would have required a checkout request for the SPAM filter’s credentials and recorded access through a managed session.

Partner misuse – the Busted Chain (pages 26-29)

What Happened An unusual pattern of payment card fraud was detected for a customer that runs gas stations. The pattern started at a single gas station but spread to more stations within a month's time. Several more locations matched the fraud patterns analyzed during the investigation. Traps were set up to alert if certain conditions were met, and shortly alert was triggered. What was discovered was the vendor which was contracted for IT and POS support was connecting to the payment processing server. Once connected they:
  • verified no one else was connected
  • pushed the system clock forward two years
  • modified a configuration file to enable verbose debugging on the payment application
  • created an output file to capture text copies of authorization requests
  • terminated the session with the clock being changed back to correct date and time
The remote sessions were confirmed to have come from the vendors support center, so the focus of the research was on that location. It was identified that a single person at the vendor’s help desk team was the threat actor. Recommendations & Lessons Learned
  • Vendors must ensure their partners have implemented and are enforcing security practices
  • Vendor used shared logins
  • Two-factor authorization was not used for remote access to POS systems

USB Infection – the Porta Bella (pages 31 – 34 in the DBD)

What Happened After returning from a conference, a film industry executive received an envelope that looked like it was from a production company. The envelope contained correspondence on company letterhead and a branded USB flash drive. The letter requested that the executive review the press kit contained on the drive. The executive inserted the USB flash drive into his laptop system and opened an executable file. Upon execution, the executable file did two things: It played a trailer for an upcoming movie from the production company, and it silently installed malware on the system with the aim of stealing an unreleased movie. Recommendations & Lessons Learned
  • Expand access to security intelligence and connect that intelligence with other sources
  • Ensure that endpoint security solutions are installed and running with the latest definitions
  • Limit user’s credentials on all corporate-owned assets

How BeyondTrust could help mitigate the effects insider threats and partner misuse

In cases like Rotten Apple and Busted Chain, a shared logon is not a huge issue provided you protect the account inside a privileged password and session management solution like PowerBroker Password Safe. This provides accountability as to who is using the shared account and when. For partners and other third parties, proxy the connection to systems providing accountability around usage of the shared account. To address the least privilege issue in Porta Bella, PowerBroker for Windows would remove administrative rights on end user accounts, using policy to dictate what applications can run with higher privileges. Operating under a least privilege model and application control and integrating threat intelligence from multiple sources would provide a clearer picture of risk. Watch for more blogs coming in this series in the next few days. In the meantime, if you’re combatting privilege misuse, contact us today!