Monday 31 December 2018

Equifax Data Breach Report

This report from the U.S House of Representatives describes the Equifax data breach in detail. For such a large financial organisation, the shortcomings are breathtaking, but the report makes for a fantastic learning opportunity. It gets to show how these large organisations don't implement even basic security controls or otherwise take cybersecurity seriously, even when the implications are astronomical.

Some of the high level findings include:
  • Ineffective IT coordination
  • Siloed IT and Security organisations
  • No accountability
  • No clear owner for business, application and systems
  • Patch management process breathtakingly flawed
  • Vulnerabilities not adequately remediated or tracked
  • Lack of hardening standards
  • Certificate management process completely flawed
  • Insufficient documentation
  • Lack of asset inventories
  • No network segmentation

Sunday 30 December 2018

Printing of Major US Newspapers Affected by Cyber Attack

Los Angeles Times, Chicago Tribune, Wall Street Journal, San Diego Union-Tribune and New York Times among titles affected by virus causing printing and distribution. Reportedly, the virus affected back-end production systems.

Was this a targeted attack? If so, what was the goal? Could an attacker alter and print content?

We have very little detail on the attack, but most likely this was a targeted attack and probably the initial infection was due to a user clicking on a phishing link in an email. Let's consider what controls could possibly prevent the attack in this scenario.

  • User security awareness training may have prevented the user from clicking on the link in the first place.
  • An email scanning service may have blocked the email or rendered the phishing link harmless.
  • A firewall with up to date threat analysis may have blocked the domain the phishing link directs to. Or subsequent C2 traffic would have made the malware impotent.
  • Similar for a secure web proxy.
  • A malware analysis engine may have blocked the malware from being downloaded, for example malware analysis in a secure web proxy, firewall or standalone engine.
  • Endpoint protection, either standard anti-virus or next gen endpoint protection.
  • DNS filtering may have blocked a malicious domain, such as Cisco Umbrella or Akamai Threat Prevention. It may have defeated the initial download or blocked subsequent C2 traffic.
  • Better detection, such as SIEM with threat intelligence.
  • Improved response.
  • Network segmentation to prevent lateral movement within the network.
  • Privilege access management.
Actually, the more I think about this, and without knowing the specifics, there's a whole raft of controls that could conceivably have prevented this attack.