Segregation of Duties is one of those business concepts that’s a bit abstract, but the…
The recent British Airways data breach compromised approximately 380,000 card payments, exposing their valued customers to the risk of identity theft for the rest of their lives. While notable for the prolonged period over which the thefts took place, it’s just another notch in a long series of major data security breaches. Despite growing awareness of cyber security threats, companies routinely fail to detect major attacks until it’s far too late.
The British Airways Data Breach
On September 6th, 2018, British Airways announced a serious breach to its impacted customers. Hackers had exploited a security vulnerability in the company’s software starting on 21st August. They proceeded to steal customers’ personal and financial information, excluding passport details, for a period of two weeks.
Breaches are a fact of life, but what was shocking was the length of the breach and the significance and size of the organisation that fell victim to such a crime. Hundreds of thousands of British Airways customers had their information stolen over a period of 15 days, which impacted around 380,000 credit card transactions. Think about that number. That amounts to over 25,000 thefts in a 24-hour window, and therefore a little over 1,000 thefts per hour.
Downloading all that data isn’t quick or easy. Your network logs who is connecting to it, and what data is flowing in or out, and a security team should notice when someone starts downloading a massive amount of information — at least, they’re supposed to. How did hackers exploit a known vulnerability, and compromise the information of so many people over such a long time?
British Airways is Just the Latest Massive Cyber Breach:
Even if the British Airways incident was a fluke, it should give cyber security experts plenty of reason to worry — but it isn’t. Breaches aren’t unusual, no matter the industry. There have been a series of major breaches exposing hundreds of millions — or in one case, billions of users. In some cases, the breaches took years to discover, leaving users completely exposed. Here are a few examples:
- Yahoo! – In late 2016, while negotiating a sale to Verizon, Yahoo! made a disturbing announcement: it had fallen victim to a massive breach, compromising the email addresses, names, telephone numbers, and birthdates of hundreds of millions of customers in 2014.The news turned out to be even worse than the company thought. There had been multiple breaches, including a 2013 attack compromising three billion accounts, including passwords. Literally every single Yahoo! email, Tumblr, Flickr, and Fantasy account was compromised in 2013, leaving users exposed and unaware for three years, while their data was sold on the dark web.
- Office of Personnel Management (OPM) – In 2012, hackers (most likely, a state-sponsored team from China) perpetrated one of the most serious cyber security disasters in US history. The OPM provides background checks for federal employees, conducting interviews of friends, family, and neighbors for high-security jobs. The hackers stole the records of 21.5 million people, including detailed information about their families, past residences, foreign travel, health records and other sensitive information. The House Committee on Oversight and Government Reform was candid on just how damaging that breach was. It’s report was titled “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation.”
- The Carbanak Breach – The Carbanak breach wasn’t about data — but it shows just how sophisticated cyber security threats have gotten. According to Kaspersky Lab, hackers targeted up to 100 financial institution in 30 different countries starting in late 2013, doing an estimated $1 billion in damages, and got away with it. Think about that — the financial industry is arguably the most secure, yet hackers were able to steal up to $1 billion from banks across the world, and get away with it.
Why Cyber Security Breaches Happen
IT security is complicated, because IT is complicated. Organizations need to provide instantaneous access to employees, customers, and others all over the world, while keeping the bad guys out. Some of the factors are:
- Insider Threats – If a user can access a resource, they can compromise that resource. Sometimes users do it maliciously — for example, selling off data or sabotaging a database to get revenge for perceived mistreatment. More often, however, the insider threat is a mistake. A user might create a weak password, leave their account logged in on a shared computer, login via an insecure connection, or screw up in any one of thousands of other ways.
- Unpatched Vulnerabilities – Software providers and third parties work hard to test their software, find vulnerabilities and release patches. Unfortunately, as soon as a patch is released, the bad guys start looking for ways to exploit the vulnerability. If your company is taking 6 months or so to apply patches, that gives hackers an opportunity to exploit new vulnerabilities to gain access to your landscape.
- Lack of Access Controls – The fewer users who have access to a particular piece of sensitive information, the less likely that information is to be compromised. The fewer permissions a user has, the less damage a hacker can do if they compromise that user’s account. Ideally, each user should have the minimum access necessary to do their job — no more. Unfortunately, many companies don’t adequately address segregation of duties and other compliance controls, leaving their landscapes more exposed to cyber security threats.
- Third Party Errors – Banks, vendors and other third parties need access to your landscape for you to run your business — for example, to process financial transactions or provide support. Unfortunately, hackers can target the portals they use as a means to gain access to your landscape.
- Inadequate Network Security – Your network itself can be an invaluable defence against cyber security threats — or a source of dangerous vulnerabilities. Unfortunately, most companies don’t put enough effort into network security architecture best practices like hardening and segmentation, potentially leaving gaps hackers can use to gain access.
How to Beat Cyber Security Threats
The most challenging thing about security is its scope. There are many aspects of your landscape that lie outside of traditional cyber security, but still have security ramifications. For example, patching software and configuring SAP aren’t really security’s job — they’re handled by your SAP Basis support team — but if those tasks aren’t handled properly, they can lead to intrusion. Similarly, if you’re buying hosting from a company with sloppy data centre security practices, that can increase certain risks, even if you have a good third-party security provider.
To protect against cyber security threats, you need a solution designed from the ground up with security in mind. Everything from network engineering, to data centre monitoring, to patching, to intrusion detection and prevention play a role in keeping your landscape safe.
Be Secure With Symmetry
As a leading SAP hosting and managed services provider, Symmetry has what it takes to keep your company safe. From protecting your data in our ultra-secure Tier 3 data centres to high touch Basis support our comprehensive cyber security services, we address all the attack vectors enterprises face — not just those that fall under “security.”