If you are like many people, you have made a few New Year’s Resolutions. Some of us plan to be healthy, quit bad habits, or try to change our bad behaviors. For cybersecurity professionals and executives, we should learn from our mistakes in 2017 and make our professional resolutions, too. Here are a few of the basic resolutions we should all adhere too:
- Managing and monitoring privileged accounts
- Securing privileged access in the cloud and for our partners
- Applying security patches or mitigation strategies in a timelier manner
As we look back at the major incidents and breaches in 2017, we have plenty to learn but these three recommendations would make the best New Year’s Resolutions for everyone. Here is why (ranked in order of importance):
#1 WannaCry (Petya, NotPetya, and other Ransomware) – May 12, 2017
WannaCry is a ransomware payload that was grafted onto a vulnerability discovered by the NSA and leaked by Shadow Brokers. It is widely believed that the malware was created by the North Koreans and was unintentionally leaked into the wild as an unfinished piece of work. It was patched by Microsoft in March under advisory MS17-010 a few months before the ransomware was actually released. The threat actors ultimately leveraged the vulnerabilities (nicknamed EternalBlue and DoublePulsar), refined an exploit into reliable malware, and grafted WannaCry (real name WanaCrypt0r) as the payload. The results created the first wormable ring 0 exploit seen in the wild in years and was responsible for millions of dollars in damage in lost business from everything from hospitals to transportation and shipping companies.
Lessons Learned:
- Patch and remediate systems in a timely fashion
- If they are end of life, have mitigation strategies including segmentation
#2 Equifax – September 7, 2017
Equifax is one of the largest credit agencies in the United States. It suffered a data breach that affected 143 million consumers, and is considered by many to be one of the worst data breaches ever! The Personally Identifiable Information (PII) stolen included Social Security numbers, driver’s license numbers, full names, addresses, dates of birth, and complete credit card numbers. Hackers were able to gain access to the company’s system from mid-May to July by exploiting a vulnerability in their website that was identified but not patched.
Lesson Learned:
- The Vulnerability Management lifecycles require a closed loop process including patch management that involves teams, not a single person.
- PII was able to be reassembled during the breach including credit card information. This violates numerous security best practices including regulatory compliance requirements like PCI DSS.
#3 Uber – November 21, 2017
As fast as Uber has become the staple for ride sharing among millions of users worldwide, Uber riders and drivers became aware in one data breach that their personal information was compromised. In total, 57 million of them. What makes this incident as astonishing as the service itself, is that the company chose to pay the hackers $100,000 to keep the incident a secret, instead of proper public and legal disclosure. The threat actors did not gain access to Uber’s internal resources but targeted the cloud; in this case GitHub. Uber engineers used this service to collaborate on software projects. The threat actors downloaded the data stored from GitHub, which included PII such as names, email addresses, and phone numbers of Uber users and drivers worldwide! How the threat actors got into GitHub? Weak authentication practices. This represents everything a business could do wrong from trying to hide a breach to poor security practices. As an Uber user, I know my data is out there – just like the X-files.
Lessons Learned:
- Privileged access internally and in the cloud must be secured
- Third party resources should be secured with similar policies and procedures to internal resources
So, what should we expect for 2018? If the first few days of January are any indication, much more of the same and a few extreme wild cards. Consider the flaws deep inside Intel CPUs and the allocation of memory between kernel and user modes. The CPU’s themselves cannot be fixed, only replaced, and compensating controls in hypervisors and operating systems will be the only remediation strategies available at a cost of 5% to 30% performance impact. This implies the vulnerabilities and exploits might become exceptionally more technical in 2018 and a higher risk if working exploits make it into the wild. Of course, threat actors always look for the lowest hanging fruit and this why security basics, excessive privileges, and basic security controls must be rock solid even before worrying about these advanced threats.
If you consider these basic lessons and New Year’s Resolutions, find solutions that can actually work for you. BeyondTrust has privileged access management products that can help you with privilege and enterprise password management initiatives. Retina CS can help you identify vulnerabilities, implement a robust vulnerability management lifecycle, and even patch Windows assets. Your New Year’s Resolutions should be more than just goals; with BeyondTrust you can actually make them happen. Contact us today to schedule a strategy session.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.