A business owner wouldn’t assume a warehouse filled with cutting-edge prototypes or expensive products was safe just because they locked the door — they’d install an alarm protected by a managed security services partner, or hire guards to watch it.
But when it comes to IT security, many businesses are leaving their most valuable resources undefended. They’ll install some security tools (perhaps hire an outside auditor) and assume they’re safe. But just as locks can’t keep out a skilled thief, intrusion detection systems and firewalls won’t stop a determined hacker. Around-the-clock security and compliance monitoring is the only way to keep your IT resources safe. Don’t believe us? Here are 8 disasters a proper security and compliance monitoring team could have prevented:
1. The 2013 Target Breach: In spite of how they’re portrayed in the media, most hackers aren’t misguided geniuses looking for a challenge; they’re thieves looking for an easy way to steal valuable information. The Target 2013 breach exploited one of the most obvious vulnerabilities commercial vendors face: the point of sale system. Just before Black Friday, hackers installed malware on Target’s POS system, which would capture credit card info and personal data with every customer purchase.
The results were disastrous. For more than two weeks, hackers were able to take advantage of the holiday shopping binge, stealing 40 million credit and debit card numbers, and the names, addresses, phone numbers and email addresses of 70 million customers.
Fourth quarter profits dropped 46 percent during the most profitable part of the year, costing the CEO and other executives their jobs. And that doesn’t even count the estimated $100 million Target was forced to spend upgrading its system, or the $200 million it cost credit unions and banks to upgrade their systems in the following months.
The hack dramatically illustrates the difference between compliance and security. Although Target had passed its PCI compliance audits, a Verizon team brought in to do a post-mortem was easily able to compromise Target’s security. There was a lack of access control, allowing the investigators to do things like access cash registers in one store from a deli meat scale in a different store.
The password policy was not being followed; network credentials were stored on a server where Verizon’s team could access them, and other parts of the system were compromised by weak or default passwords, or unpatched security vulnerabilities. Perhaps most alarmingly, when the attack was discovered by the FireEye technicians monitoring Target’s network, Target failed to respond.
The problem is, detection alone isn’t enough. Network monitoring services like FireEye will inform you that you’re being targeted but you still need to be able to respond quickly to prevent or mitigate the breach. That’s why Symmetry provides a 24-hour network monitoring and incident response team as part of our cyber security services. By having cybersecurity experts ready to react, we can neutralize hackers as soon as they’re detected, preventing them from gaining access to your system.
2. The OPM Breach: Finance, retail and healthcare industries have all learned expensive lessons in security, but as the Office of Personnel Management (OPM) breach dramatically illustrates, the government has a long way to go. The OPM — the agency charged with doing background checks and retaining records on “current, former, and prospective Federal employees” — let a major breach go undetected for more than a year. When they finally caught it, hackers had stolen Social Security Numbers and other personal data from 21.5 million people — about 5.6 million of which included fingerprints — along with an undisclosed number of interviews conducted as part of background investigations.
The data appears to have been stolen by outsiders working for the Chinese and Russian governments, which have combined it with other breached data they’ve collected. They’ve exposed American spies, and may be using it to enable cyberattacks and blackmail federal officials.
A leaked timeline shows that hackers stole credentials, which they used to hack OPM’s network on May 7th, 2014, installing malware that allowed them to steal background investigation records, beginning in early July. In October, they moved on to the Interior Department and, in mid-December, they started stealing OPM’s personnel records. The attack wasn’t discovered until mid-April 2015 — almost an entire year after it began.
Although the United States Computer Emergency Readiness Team (US-CERT) was involved in the early breach response, the attack may have actually been discovered accidentally during a product demo by security provider, CyTech Services. Whoever detected the attack first, it’s clear that the OPM was not using security and compliance best practices. They weren’t using multifactor authentication or encryption, and they weren’t watching their network. A cyber security services team would have been able to stop the attack quickly with network monitoring, or prevented it entirely with better access control.
3. The Heartland Breach: The Heartland Payment Systems Breach was one of the biggest cyber-attacks of all time, with 130 million credit and debit cards compromised. The attack on the payment processor was masterminded by career hacker Albert Gonzalez in 2007. Working with a group of international cyber criminals, he probed a number of systems for vulnerabilities, including CitiBank, 7-11, Target and Dave and Buster’s restaurants. Heartland just happened to be the biggest victim of his sustained hacking campaign.
Gonzalez carefully planned and executed the attacks. He covered his tracks using proxies and other tools, and tested the malware against multiple antivirus suites before installing it. He was caught hacking the Dave and Buster’s POS system in May 2008, but hackers were able to continue stealing Heartland cards for months before they were finally caught.
Like many other hacking victims, Heartland was trying to do its due diligence. It was audited for PCI compliance and given a clean bill of health in 2008. Yet hackers had been attacking their system using known malware for months.
The problem isn’t necessarily bad auditing — it’s that auditing isn’t enough. A PCI compliance auditor can make sure you’re putting appropriate controls on credit card data, but they won’t be able to stop a hacker from probing your network for weaknesses, or block every one of the nearly 1 million new malware threats created every day.
To catch determined hackers, you need security and compliance monitoring across your entire IT infrastructure. IT security professionals can spot suspicious traffic, such as hackers repeatedly probing your network for weaknesses, or unusual internal traffic that could indicate a breach in progress. And that team needs the expertise to respond quickly to neutralize the threat when it happens.
4. CareFirst BCBS Breach: According to a Ponemon study, Healthcare hacks have grown 125% over the last five years, becoming the largest source of breaches. The CareFirst BlueCross BlueShield breach was only one of a series of major 2015 breaches targeting insurance companies with massive databases of Protected Health Information (PHI). And as in the Anthem and Premara attacks, hackers used a very simple trick to gain access to the system.
Hackers created bogus websites designed to look like CareFirst, and other healthcare providers. They then tricked users into entering credentials which they could use to access CareFirst’s database — a technique known as a phishing attack. Although the company was able to protect healthcare records using encryption, hackers still made off with the names, birthdates, insurance identification numbers and email addresses of 1.1 million subscribers. The attack wasn’t detected until the company conducted a security review.
The CareFirst breach shows the importance of a multi-tiered approach to security and compliance. Encrypting healthcare records was a good move, but a better security and compliance strategy might have protected other PHI. Had they encrypted everything, used multi-factor authentication and monitored their network and user access they probably would have been able to prevent the attack entirely.
5. The Sony Breach: The Sony Pictures Entertainment hack wasn’t the largest breach of 2014, but it may have been the most damaging to the victim’s reputation. Hackers released emails from high profile figures including actors, directors and entertainment executives, leading to months of embarrassing press coverage. They also destroyed data and caused Sony to suffer ongoing financial costs, including a recent $8 million payout to employees whose personal data was stolen.
The breach highlighted the fact that everyone is at risk. Entertainment doesn’t have the same strict security and compliance rules as healthcare or finance, but the damage from an attack can be every bit as severe.
There’s much we still don’t know about the breach — including who did it and how it was done — but it looks like another case of phishing. The hackers revealed that they had stolen employee names, IDs and security tokens, and mapped out Sony’s internal network in detail before they finally announced the attack. This kind of work is never invisible. When hackers spend months navigating a company’s network and stealing internal resources, they create suspicious traffic. Had Sony employed a cyber security services team to watch their networks, they could have spotted and neutralize the hackers before the damage was done.
6. The Carbanak Breach: Few breaches get more complex than the Carbanak bank heist; According to Kaspersky Lab (which investigated that breach) the heist targeted dozens of financial institutions around the world, doing an estimated $1 billion in damages.
The hackers spent months infiltrating bank computers, probing computer systems and electronically spying on employees. Once they gained control of internal systems, the hackers began to steal money, using a range of techniques. Sometimes, they’d they’d transfer funds to fraudulent bank accounts. In other cases, they’d command infected ATMs to dispense money, which would be picked up by their collaborators. They beat the high-security financial industry over and over again and they got away with it — for now, anyway.
Yet, despite the sophistication of this attack, they relied on a relatively simple technique to gain entry: spear phishing. Bank employees were sent infected emails which installed malware on their computer when opened, giving hackers control. One wrong click, and the hackers were in the system.
The Carbanak attack shows the need to integrate security and compliance strategies into the day-to-day activity of your company. Monitoring employees’ accounts for suspicious traffic isn’t enough; your cyber security services also need to:
- Educate workers about online safety;
- Draft and enforce technology policies;
- Create mechanisms for quickly reporting suspected breaches;
- Bring in outside experts to look for cyber security gaps.
Some of the bad guys are pretty smart. The only way to keep them out is by making security part of everything your company does.
7. CWA Breach: Crackas With Attitude (CWA), a teenaged Hacktivist group, has recently exposed a series of intelligence and law enforcement targets, including a law enforcement booking system. CWA was able to gather the names, addresses and other bits of personal information of thousands of law enforcement personnel. They also managed to compromise the email account of CIA director, John Brennan. They’ve given media interviews, released sensitive data, and taunted the law enforcement officials tracking them.
Being intelligence and law enforcement officials, their targets haven’t publicized the details of the attacks, but one of the hackers explained how he hacked Brennan’s account in a Motherboard interview. He called Verizon — Brennan’s ISP — claiming to be from another Verizon department, and managed to finagle his Social Security Number. Then, he called AOL and had them reset Brennan’s password, using the SSN to prove he was Brennan.
Social engineering attacks are notoriously hard to defend against. In a recent contest held to raise awareness of the risks posed by these attacks, contestants were able to gain sensitive information from employees of 14 out of 15 companies, using nothing but passive information gathering techniques (e.g. Google and social media searches) and phone calls — often posing as employees or auditors.
To beat these sorts of attacks, companies need to work with security and compliance partners that understand the entire security landscape. They need to examine non IT issues, including:
- What the company throws away
- What employees post on social media
- What information call center workers give out
- How contractors and employees are vetted
- What information criminals are likely to be interested in
- What weaknesses the company’s security partners have
- Who might have a grudge against the company
Cyber Security and Compliance Takes More than Fancy Software
No matter how powerful IT security tools become, they’re only as reliable as the people using them. An intrusion detection system can spot suspicious traffic, but it can’t stop a hacker from discovering a weakness in your network. An antimalware program can detect known bugs, but it can’t prevent an employee from clicking on a link that contains new malware.
To stay safe, your company needs a cyber security services partner who can monitor your network, audit your company, and stay vigilant against new threats. Symmetry’s complete suite of IT managed services, security and compliance services makes us an ideal candidate to police your network.
We bring together top-notch talent in network design, administration, security, engineering and project management to create a comprehensive strategy to keep your entire business safe. From patching software in your private managed cloud, to training your employees in online safety, to stopping hackers before they can get inside your network, we’re there to keep your assets safe. Contact us to learn what Symmetry can do for you.