Cyber Security Threats: Why Detection Takes So LongThe recent Equifax data breach compromised consumer data on an almost unbelievable scale, exposing millions of Americans to the risk of identity theft for the rest of their lives. While notable for its size and severity, it’s just another notch in a long series of major data security breaches. Despite growing awareness of cyber security threats, companies routinely fail to detect major attacks until it’s far too late.

The Equifax Data Breach

On September 7th, Equifax announced a massive breach. Hackers had exploited a security vulnerability in the company’s software starting on or around May 13th. They proceeded to steal personal information about consumers, “primarily including names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.”

Breaches are a fact of life, but what was shocking was the sheer extent of the breach. Approximately 145.5 million Americans had had their information stolen from the credit reporting agency. Think about that number. The population of the United States is about 323 million. So far, only about 450 million Social Security numbers have ever been issued. The hackers made off with the data of about 45% of all Americans, and nearly ⅓ of the Social Security numbers in existence.

Downloading all that data isn’t quick or easy. Your network logs who is connecting to it, and what data is flowing in or out, and a security team should notice when someone starts downloading a massive amount of information — at least, they’re supposed to. It takes time to steal all that data. In Equifax’s case, 2 ½ months (from May 13th to July 30th). How did hackers exploit a known vulnerability, and compromise the information of so many people over such a long time?

Equifax is Just the Latest Massive Cyber Breach:

Even if Equifax were a fluke, it should give cyber security experts plenty of reason to worry — but it isn’t. Breaches aren’t unusual, no matter the industry. There have been a series of major breaches exposing hundreds of millions — or in one case, billions of users. In some cases, the breaches took years to discover, leaving users completely exposed. Here are a few examples:

  • Yahoo!In late 2016, while negotiating a sale to Verizon, Yahoo! made a disturbing announcement: it had fallen victim to a massive breach, compromising the email addresses, names, telephone numbers, and birthdates of hundreds of millions of customers in 2014.The news turned out to be even worse than the company thought. There had been multiple breaches, including a 2013 attack compromising three billion accounts, including passwords. Literally every single Yahoo! email, Tumblr, Flickr, and Fantasy account was compromised in 2013, leaving users exposed and unaware for three years, while their data was sold on the dark web.
  • Office of Personnel Management (OPM)In 2012, hackers (most likely, a state-sponsored team from China) perpetrated one of the most serious cyber security disasters in US history. The OPM provides background checks for federal employees, conducting interviews of friends, family, and neighbors for high-security jobs.The hackers stole the records of 21.5 million people, including detailed information about their families, past residences, foreign travel, health records and other sensitive information. The House Committee on Oversight and Government Reform was candid on just how damaging that breach was. It’s report was titled “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation.”
  • The Carbanak BreachThe Carbanak breach wasn’t about data — but it shows just how sophisticated cyber security threats have gotten. According to Kaspersky Lab, hackers targeted up to 100 financial institution in 30 different countries starting in late 2013, doing an estimated $1 billion in damages, and got away with it. Think about that — the financial industry is arguably the most secure, yet hackers were able to steal up to $1 billion from banks across the world, and get away with it.

Why Cyber Security Breaches Happen

Why Cyber Security Breaches HappenIT security is complicated, because IT is complicated. Organizations need to provide instantaneous access to employees, customers, and others all over the world, while keeping the bad guys out. Some of the factors are:

  • Insider ThreatsIf a user can access a resource, they can compromise that resource. Sometimes users do it maliciously — for example, selling off data or sabotaging a database to get revenge for perceived mistreatment. More often, however, the insider threat is a mistake. A user might create a weak password, leave their account logged in on a shared computer, login via an insecure connection, or screw up in any one of thousands of other ways.
  • Unpatched VulnerabilitiesSoftware providers and third parties work hard to test their software, find vulnerabilities and release patches. Unfortunately, as soon as a patch is released, the bad guys start looking for ways to exploit the vulnerability. If your company is taking 6 months or so to apply patches, that gives hackers an opportunity to exploit new vulnerabilities to gain access to your landscape.
  • Lack of Access ControlsThe fewer users who have access to a particular piece of sensitive information, the less likely that information is to be compromised. The fewer permissions a user has, the less damage a hacker can do if they compromise that user’s account. Ideally, each user should have the minimum access necessary to do their job — no more. Unfortunately, many companies don’t adequately address segregation of duties and other compliance controls, leaving their landscapes more exposed to cyber security threats.
  • Third Party ErrorsBanks, vendors and other third parties need access to your landscape for you to run your business — for example, to process financial transactions or provide support. Unfortunately, hackers can target the portals they use as a means to gain access to your landscape.
  • Inadequate Network SecurityYour network itself can be an invaluable defense against cyber security threats — or a source of dangerous vulnerabilities. Unfortunately, most companies don’t put enough effort into network security architecture best practices like hardening and segmentation, potentially leaving gaps hackers can use to gain access.

How to Beat Cyber Security Threats

The most challenging thing about security is its scope. There are many aspects of your landscape that lie outside of traditional cyber security, but still have security ramifications. For example, patching software and configuring SAP aren’t really security’s job — they’re handled by your SAP Basis support team — but if those tasks aren’t handled properly, they can lead to intrusion. Similarly, if you’re buying hosting from a company with sloppy data center security practices, that can increase certain risks, even if you have a good third-party security provider.

To protect against cyber security threats, you need a solution designed from the ground up with security in mind. Everything from network engineering, to data center monitoring, to patching, to intrusion detection and prevention play a role in keeping your landscape safe.

Be Secure With Symmetry

As a leading SAP hosting and managed services provider, Symmetry has what it takes to keep your company safe. From protecting your data in our ultra-secure Tier 3 data centers to high touch Basis support our comprehensive cyber security services, we address all the attack vectors enterprises face — not just those that fall under “security.”

About Scott Goolik - VP, Compliance and Security Services

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.