Monday 31 December 2018

Equifax Data Breach Report

This report from the U.S House of Representatives describes the Equifax data breach in detail. For such a large financial organisation, the shortcomings are breathtaking, but the report makes for a fantastic learning opportunity. It gets to show how these large organisations don't implement even basic security controls or otherwise take cybersecurity seriously, even when the implications are astronomical.

https://oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf

Some of the high level findings include:
  • Ineffective IT coordination
  • Siloed IT and Security organisations
  • No accountability
  • No clear owner for business, application and systems
  • Patch management process breathtakingly flawed
  • Vulnerabilities not adequately remediated or tracked
  • Lack of hardening standards
  • Certificate management process completely flawed
  • Insufficient documentation
  • Lack of asset inventories
  • No network segmentation



Sunday 30 December 2018

Printing of Major US Newspapers Affected by Cyber Attack

Los Angeles Times, Chicago Tribune, Wall Street Journal, San Diego Union-Tribune and New York Times among titles affected by virus causing printing and distribution. Reportedly, the virus affected back-end production systems.

Was this a targeted attack? If so, what was the goal? Could an attacker alter and print content?

https://www.theguardian.com/technology/2018/dec/30/cyber-attack-disrupts-printing-of-major-us-newspapers

We have very little detail on the attack, but most likely this was a targeted attack and probably the initial infection was due to a user clicking on a phishing link in an email. Let's consider what controls could possibly prevent the attack in this scenario.


  • User security awareness training may have prevented the user from clicking on the link in the first place.
  • An email scanning service may have blocked the email or rendered the phishing link harmless.
  • A firewall with up to date threat analysis may have blocked the domain the phishing link directs to. Or subsequent C2 traffic would have made the malware impotent.
  • Similar for a secure web proxy.
  • A malware analysis engine may have blocked the malware from being downloaded, for example malware analysis in a secure web proxy, firewall or standalone engine.
  • Endpoint protection, either standard anti-virus or next gen endpoint protection.
  • DNS filtering may have blocked a malicious domain, such as Cisco Umbrella or Akamai Threat Prevention. It may have defeated the initial download or blocked subsequent C2 traffic.
  • Better detection, such as SIEM with threat intelligence.
  • Improved response.
  • Network segmentation to prevent lateral movement within the network.
  • Privilege access management.
Actually, the more I think about this, and without knowing the specifics, there's a whole raft of controls that could conceivably have prevented this attack.