Back to blog

Top 4 Lessons Learned from the 2017 Breaches, Part II

November 21, 2017
by Jasmine Chennikara-Varghese, Pathlock Technologies (Click here to read part I)
  • Compliance without continuous monitoring impairs security: Regulations and security standards promote best practices to keep data secure. However, solutions and methodologies put in place to adhere to compliance requirements do not guarantee security. Lack of human oversight and continuous monitoring can lead to issues falling through the gaps. The Equifax breach did not occur due to a failure in implementing a robust information security program but a lapse in control processes related to human oversight and vulnerability management. The patch for the website vulnerability Apache Struts CVE-2017-5638 had been issued in March.  The patch should have been applied, per policy, by designated personnel within 48 hours of being issued but that did not happen. Additionally, internal vulnerability scans performed to meet compliance requirements did not alert on the unpatched systems. At Deloitte, the firm did not employ two-factor authentication for an admin account on a critical email server despite two-factor authentication being a typical compliance requirement for privileged access.  This allowed hackers to acquire a single password from an administrator of the firm’s email account and use it to access all areas of the email system. Strictly managed privileged access per policy and periodic review of access rights are a compliance activity.  However, lack of compliance monitoring allowed the initial misconfiguration to occur and go undetected for months. At Verizon, millions of customer PINs used to authenticate customers at call centers were left exposed and available for download on an unsecured Amazon server. This was due to human error on the part of a vendor who put information into a cloud storage area and incorrectly set the storage to allow external access. Although no bad actors seemed to have access to the data, the unsecured access was not detected by security controls or internal security teams but discovered by an external researcher who notified Verizon.
  • Visibility is key to detection and prevention. While access, device and network security solutions are needed for defense-in-depth at multiple layers, the visibility into the real data you are trying to protect is often missing. In the Equifax breach, the Struts vulnerability impacted the processing of uploaded data, providing a way for crafted input to be read as code and be executed. This allowed hackers to access and read a large number of records. With full visibility into those access activities, security alerts could have been triggered on such anomalous behaviors, accelerating the time to detect and discover breaches. You cannot effectively protect what you cannot see. It’s that simple. There is a lot of noise to filter so the more actionable intelligence you have, the better you can correlate the activities in your applications. Visibility empowers you to move from manually triaging every alert and logged event to escalating correlated network and application security events that indicate suspicious behaviors. In turn, you can better protect patient, customer, shareholder, business partner and employee data.
No one is immune to cyber attacks. One human error, one misconfiguration, one control failure or one prematurely closed security alert can result in disaster days, weeks or months later. Get ahead of data breaches by using Pathlock Security Risk Analytics to mine and analyze application behaviors and quickly discover anomalies in user activities, authorizations and roles as well as data access events.