hacked! security lessons from big name breaches · 2019-10-15 · under-resourced information...
TRANSCRIPT
Hacked! Security Lessons From Big Name Breaches
Neil Daswani, [email protected]
Attacker Lifecycle
Source: Wikipedia.org
The Target Breach (2013)
What got stolen? 40+ million credit card numbers
What was the impact? • CEO and CISO fired; board sued• $250M in breach costs• Reputational damage
How did it happen? Root cause?
• Phishing and malware• 3rd party vetting and integration
How could it have been prevented?
• Network segmentation• Enough staff to vet malware alerts• Reduction of false positive alerts
The JPMorganChase Breach (2014)
What got stolen? 70+ million customer names and email addresses
What was the impact? Potential for mass phishing attacks
How did it happen? Root cause? Key vulnerabilities?
• Phishing attack • Lack of multi-factor
authentication on a third-party server
How could it have been prevented?
• Anti-phishing training• Implementation of multi-factor
authentication on ALL servers
Anthem Breach (2015)
What got stolen? 80M customer records
What was the impact? More than 100 lawsuits
How did it happen? Root cause? Key vulnerabilities?
Spear phishing / compromise of database credentials. Malware.
How could it have been prevented?
Anti-phishing training and countermeasuresEmploy principle of least privilegeDeny unnecessary incoming connections
Anthem Breach (2015)
From https://www.cs.bu.edu/~goldbe/teaching/HW55815/presos/anthem.pdf)
Office of Personnel Management (OPM) (2015)
What got stolen? 21.5M background checks, including SF86 forms. 5.6M fingerprint records.
What was the impact? “.. cannot be overstated, nor will it ever be fully known.” -- House Oversight Majority Report
How did it happen? Root cause?
Under-resourced information security program. Failure to prioritize security. Stolen contractor credentials. Malware.
How could it have been prevented?
• Investment and prioritization of security• Multi-factor authentication• Containment of legacy systems
The Yahoo Breaches (2016)
What got stolen/exposed?
• > 3 billion• Access to all Yahoo email accounts
Impact? • Largest breach in the history of the Internet.• $350 million drop in price Verizon paid
How did it happen? Root cause?
• Spear phishing• Malware• Theft of cookie generation algorithm• Yahoo’s User Database (UDB) stolen• Unauthorized access of Yahoo’s Account
Management Tool (AMT)
2017 and 2018 Breaches
Similar modus operandi as in previous years(privacyrights.org)
• Dun and Bradstreet (33.6 million; Mar ‘17)
• River City Media (1.34 billion; Mar ‘17)
• WannaCry (200K+, May ‘17)
• Equifax (145M, Sept ’17)
• Aadhaar (1.1 billion, Jan ‘18)
• Exactis (340M, June ‘18)
• Under Armour (150M, May ‘18)
• Marriott (339M, Nov ‘18)
Attacker Lifecycle; Source: Wikipedia.org
The Capital One Breach (2019)
What got stolen? 100M US SSNs, 1M Canadian SINs
What was the impact? • $250K fine, 5 yrs. in jail for hacker.• Estimated breach costs of $100M -
$150M.
How did it happen? Root cause?
• Cap One Firewall Misconfiguration provided access to their AWS buckets. Server-Side Request Forgery (SSRF).
How could it have been prevented?
• Firewall Review• Automated hybrid cloud security
scanning.
Summary: Top Five Key Root Causes of Breaches
Root Cause Example Breaches
Phishing Target, JPMorganChase, Anthem, Yahoo, DNC
Malware Target, OPM, Yahoo, Marriott, WannaCry
Third-Party Supplier Target, JPMorganChase, Facebook
Software / Application Security, Vulnerability Management
Equifax, Yahoo, Facebook
Inadvertent Employee Errors / Accidents (separate from phishing)
Exactis, River City Media
Note that a single breach can have multiple root causes.
What you can do
Attack vector Defenses
Phishing • Report all suspicious emails to:[email protected]
• Always use multi-factor authentication (Duo)• Avoid acting on unsolicited emails on mobile devices
(e.g, viewing URLs)• Reset your credentials if you think you got phished
Malware • Do not open unexpected or unusual attachments• Be careful what you click• Limit privileges and access to only what you need• Patch your machine promptly
Third-Party Suppliers
• Vet all third-party supplier’s security and set them on an improvement path if necessary
Number of Records Breached By Year
13
Source Data from PrivacyRights.org
Breaches by Type
14
Source Data from PrivacyRights.org
CyberSecurity Skills / Staffing Gap: Need for Automation
“We predict there will be 3.5 million unfilled cybersecurity positions
[worldwide] by 2021.” -- CyberSecurity Ventures
Source: CyberSeek.org
You may also be interested in…
Note: Webinar will begin shortly. No audio broadcast at this time.
Foundations of Information SecurityProfessional Online Course: Open EnrollmentInstructor: Neil Daswani and Dan Boneh
Learn the foundational skills needed to build a successful cyber security career. You’ll hear from experts like Dan Bonehand Neil Daswani, as well as from, Vint Cerf, co-creator of the internet, and industry security leaders from Google, LinkedIn, and LifeLock.
Emerging Threats & DefensesProfessional Online Course: Open EnrollmentInstructor: Neil Daswani, Dan Boneh and John Mitchell
Understanding trends in computer science and how machine learning and anti-malware defenses can respond to threats is a critical component of protecting networks, infrastructure and users. Explore the growing challenges of securing sensitive data, networks and applications with different privacy controls to defend against malicious acts.
computersecurity.stanford.edu
References
ACS Courses:
• Foundations of Information Security
• CyberSecurity and Executive Strategy
• Emerging Threats and Defenses
Yahoo Breach:
• Indictment of Russian spies and cybercriminals (https://www.justice.gov/opa/press-release/file/948201/download)
• Ars Technica: How did Yahoo get breached? (https://arstechnica.com/tech-policy/2017/03/fbi-hints-that-hack-of-semi-privileged-yahoo-employee-led-to-massive-breach/)
OPM Breach:
• How the Government Jeopardized Our National Security for More than a Generation (https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf)
Anthem Breach:
• The Anthem Hack (https://www.cs.bu.edu/~goldbe/teaching/HW55815/presos/anthem.pdf)
Stanford Center for Professional Development
online | at Stanford | at work
Graduate Education. Professional Certification.
scpd.stanford.edu
The Stanford Advanced Computer Security Certificate Program
Security Intelligence. Technology Insights.Gain vital skills needed for today’s cyber workforce. From state-of-the-art software security design
principles to concrete programming techniques, this online computer science program exposes you to the expert instruction and research addressing cyber security in modern technology.
Presented By
computersecurity.stanford.edu
Stanford Center for Professional Development
The Stanford Advanced Computer Security Certificate Program
Security Intelligence. Technology Insights.Gain vital skills needed for today’s cyber workforce. From state-of-the-art software security design
principles to concrete programming techniques, this online computer science program exposes you to the expert instruction and research addressing cyber security in modern technology.
Presented By
computersecurity.stanford.edu
Stanford Center for Professional Development