Hacked! Security Lessons From Big Name Breaches

Neil Daswani, PhDdaswani@cs.stanford.edu

Attacker Lifecycle

Source: Wikipedia.org

The Target Breach (2013)

What got stolen? 40+ million credit card numbers

What was the impact? • CEO and CISO fired; board sued• $250M in breach costs• Reputational damage

How did it happen? Root cause?

• Phishing and malware• 3rd party vetting and integration

How could it have been prevented?

• Network segmentation• Enough staff to vet malware alerts• Reduction of false positive alerts

The JPMorganChase Breach (2014)

What got stolen? 70+ million customer names and email addresses

What was the impact? Potential for mass phishing attacks

How did it happen? Root cause? Key vulnerabilities?

• Phishing attack • Lack of multi-factor

authentication on a third-party server

How could it have been prevented?

• Anti-phishing training• Implementation of multi-factor

authentication on ALL servers

Anthem Breach (2015)

What got stolen? 80M customer records

What was the impact? More than 100 lawsuits

How did it happen? Root cause? Key vulnerabilities?

Spear phishing / compromise of database credentials. Malware.

How could it have been prevented?

Anti-phishing training and countermeasuresEmploy principle of least privilegeDeny unnecessary incoming connections

Anthem Breach (2015)

From https://www.cs.bu.edu/~goldbe/teaching/HW55815/presos/anthem.pdf)

Office of Personnel Management (OPM) (2015)

What got stolen? 21.5M background checks, including SF86 forms. 5.6M fingerprint records.

What was the impact? “.. cannot be overstated, nor will it ever be fully known.” -- House Oversight Majority Report

How did it happen? Root cause?

Under-resourced information security program. Failure to prioritize security. Stolen contractor credentials. Malware.

How could it have been prevented?

• Investment and prioritization of security• Multi-factor authentication• Containment of legacy systems

The Yahoo Breaches (2016)

What got stolen/exposed?

• > 3 billion• Access to all Yahoo email accounts

Impact? • Largest breach in the history of the Internet.• $350 million drop in price Verizon paid

How did it happen? Root cause?

• Spear phishing• Malware• Theft of cookie generation algorithm• Yahoo’s User Database (UDB) stolen• Unauthorized access of Yahoo’s Account

Management Tool (AMT)

2017 and 2018 Breaches

Similar modus operandi as in previous years(privacyrights.org)

• Dun and Bradstreet (33.6 million; Mar ‘17)

• River City Media (1.34 billion; Mar ‘17)

• WannaCry (200K+, May ‘17)

• Equifax (145M, Sept ’17)

• Aadhaar (1.1 billion, Jan ‘18)

• Exactis (340M, June ‘18)

• Under Armour (150M, May ‘18)

• Marriott (339M, Nov ‘18)

Attacker Lifecycle; Source: Wikipedia.org

The Capital One Breach (2019)

What got stolen? 100M US SSNs, 1M Canadian SINs

What was the impact? • $250K fine, 5 yrs. in jail for hacker.• Estimated breach costs of $100M -

$150M.

How did it happen? Root cause?

• Cap One Firewall Misconfiguration provided access to their AWS buckets. Server-Side Request Forgery (SSRF).

How could it have been prevented?

• Firewall Review• Automated hybrid cloud security

scanning.

Summary: Top Five Key Root Causes of Breaches

Root Cause Example Breaches

Phishing Target, JPMorganChase, Anthem, Yahoo, DNC

Malware Target, OPM, Yahoo, Marriott, WannaCry

Third-Party Supplier Target, JPMorganChase, Facebook

Software / Application Security, Vulnerability Management

Equifax, Yahoo, Facebook

Inadvertent Employee Errors / Accidents (separate from phishing)

Exactis, River City Media

Note that a single breach can have multiple root causes.

What you can do

Attack vector Defenses

Phishing • Report all suspicious emails to:spam@stanford.edu

• Always use multi-factor authentication (Duo)• Avoid acting on unsolicited emails on mobile devices

(e.g, viewing URLs)• Reset your credentials if you think you got phished

Malware • Do not open unexpected or unusual attachments• Be careful what you click• Limit privileges and access to only what you need• Patch your machine promptly

Third-Party Suppliers

• Vet all third-party supplier’s security and set them on an improvement path if necessary

Number of Records Breached By Year

13

Source Data from PrivacyRights.org

Breaches by Type

14

Source Data from PrivacyRights.org

CyberSecurity Skills / Staffing Gap: Need for Automation

“We predict there will be 3.5 million unfilled cybersecurity positions

[worldwide] by 2021.” -- CyberSecurity Ventures

Source: CyberSeek.org

You may also be interested in…

Note: Webinar will begin shortly. No audio broadcast at this time.

Foundations of Information SecurityProfessional Online Course: Open EnrollmentInstructor: Neil Daswani and Dan Boneh

Learn the foundational skills needed to build a successful cyber security career. You’ll hear from experts like Dan Bonehand Neil Daswani, as well as from, Vint Cerf, co-creator of the internet, and industry security leaders from Google, LinkedIn, and LifeLock.

Emerging Threats & DefensesProfessional Online Course: Open EnrollmentInstructor: Neil Daswani, Dan Boneh and John Mitchell

Understanding trends in computer science and how machine learning and anti-malware defenses can respond to threats is a critical component of protecting networks, infrastructure and users. Explore the growing challenges of securing sensitive data, networks and applications with different privacy controls to defend against malicious acts.

computersecurity.stanford.edu

References

ACS Courses:

• Foundations of Information Security

• CyberSecurity and Executive Strategy

• Emerging Threats and Defenses

Yahoo Breach:

• Indictment of Russian spies and cybercriminals (https://www.justice.gov/opa/press-release/file/948201/download)

• Ars Technica: How did Yahoo get breached? (https://arstechnica.com/tech-policy/2017/03/fbi-hints-that-hack-of-semi-privileged-yahoo-employee-led-to-massive-breach/)

OPM Breach:

• How the Government Jeopardized Our National Security for More than a Generation (https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf)

Anthem Breach:

• The Anthem Hack (https://www.cs.bu.edu/~goldbe/teaching/HW55815/presos/anthem.pdf)

Q&A

Neil Daswani, PhDdaswani@cs.stanford.edu

Co-Director, Stanford Advanced Security Program

Stanford Center for Professional Development

online | at Stanford | at work

Graduate Education. Professional Certification.

scpd.stanford.edu

The Stanford Advanced Computer Security Certificate Program

Security Intelligence. Technology Insights.Gain vital skills needed for today’s cyber workforce. From state-of-the-art software security design

principles to concrete programming techniques, this online computer science program exposes you to the expert instruction and research addressing cyber security in modern technology.

Presented By

computersecurity.stanford.edu

Stanford Center for Professional Development

The Stanford Advanced Computer Security Certificate Program

Security Intelligence. Technology Insights.Gain vital skills needed for today’s cyber workforce. From state-of-the-art software security design

principles to concrete programming techniques, this online computer science program exposes you to the expert instruction and research addressing cyber security in modern technology.

Presented By

computersecurity.stanford.edu

Stanford Center for Professional Development