Deloitte, one of the world’s “big four” accountancy firms, announced on Monday that it was hit by a sophisticated cyber-attack. The hack, one that apparently went undetected for several months, compromised the confidential emails and plans of some of the company's blue-chip clients.
The attack, which appeared to have targeted the firm’s U.S. operations, is thought to have been discovered in March and could have begun as early as October 2016. The Guardian was the first to report the story. So how did it happen? The hacker accessed the firm’s global email server through an “administrator’s account” that gave them unrestricted “access to all areas." And it was all too easy - the account required only a single password and did not have two-step verification.
Deloitte said “very few” clients were impacted, and has solicited outside help to review its security. However small the scale may be here, there are glaring issues that mustn't be ignored. Could this have been prevented? As in most cases, absolutely. Our experts weigh in.
Willis McDonald, Threat Research Manager at Core Security, shared his insights on the matter. "Deloitte provides a security consultancy service to enterprise and government clients, which include recommendations against having administrator accounts without multi-factor authentication," said McDonald. "The fact that a Deloitte administrator account was accessible without multi-factor authentication is inexcusable. To make matters worse, it appears that no one at Deloitte noticed suspicious account activity for months."
True, he has a point, but it begs the question - with Deloitte being perhaps one of the more cyber-savvy organizations, how did this happen? According to Gaurav Banga, Founder and CEO of Balbix, unfortunately, the myriad of different ways in which an enterprise may be breached is very large, and even a robust investment in traditional security technologies and incident response is not enough.
"Enterprises need to think proactively to really understand their attack surface of software and humans continuously and comprehensively – which parts are at greatest risk, what mitigations will work well, and where the security gaps are," says Banga.
Further, static passwords simply cannot provide effective corporate protection anymore. It's up to providers and enterprises to follow best practices in authenticating users, starting with a proactive approach to identifying suspicious logins. "Dynamic identity management solutions that can detect potential intrusions, require multi-factor authentication, and integrate with existing systems for managing user access can be much more effective than basic password protection," says Rich Campagna, CEO, Bitglass.
Our second story takes a look at our pals at Verizon. Apparently something is wrong with the plumbing over there, because the telecommunications giant has sprung another leak. It was announced last Friday that confidential and sensitive documents, including server logs and credentials for internal systems, were found on an unprotected Amazon Web Services (AWS) S3 storage server controlled by a Verizon Wireless customer. The discovery was made by security researchers at the Kromtech Security Research Center.
The server held several files, mostly scripts and server logs, and possibly usernames and passwords to internal systems. Other folders contained internal Verizon "confidential and proprietary materials" documents, detailed server and infrastructure maps, server IP addresses, global router hosts, and several scripts that could have allowed access to important parts of the system.
In the end, no customer data was involved, but that doesn't mean Verizon is off the hook. The information could be extremely useful to attackers. To know the layout of the company's systems is a prize many hackers would give their left arm for (well, perhaps not... typing malicious code would be too difficult with one hand). It's unknown at this point if anyone else beyond the security researchers accessed the bucket.
“Given the high number of incidents involving exposed S3 buckets that we have seen in the past few months, it is baffling that every organization is not carefully looking into the configurations and exposure levels of their storage in the cloud," Zohar Alon, co-founder and CEO of Dome9 shared in a statement. "Protecting data in the cloud from accidental exposure and theft is a business priority."
Alon goes on to say that companies need to be held highly accountable for their lack of security on the public cloud. The public cloud needs a united front on security with regular configuration checks and balances – where public cloud providers, third party tools with advanced features, and a governing body all work together in order to ensure corporate and consumer data stays safe and out of the reach of hackers.
Our last story takes a look under the hood of the latest cybersecurity threat report from Nexusguard. The report, which measured more than 8,300 attacks, takes a deep dive into IoT and DNS-based attacks specifically. And guess what? These types of attacks are on the rise. Shocking.
Highlights from the data include:
- UDP attacks (targeting DNS servers and amplifying volume through IP-connected devices) grew 15% in the last quarter, becoming the most popular type of attack.
- Switzerland broke in to the Top 3 country sources of attacks as extortionist gangs became more active in Europe.
- Three out of every four DDoS attacks used multiple vectors, often masking other other malicious behavior, such as executing remote codes or compromising personally identifiable information.
“UDP attacks can frequently act as smokescreens over other malicious behavior, such as efforts to execute remote codes, malware, or compromise personally identifiable information,” said Juniman Kasman, chief technology officer for Nexusguard. “Due to the speed with which UDP attacks can overwhelm DNS servers and hijack IoT devices, rapid detection and response is critical for overcoming these types of attacks. Organizations need to protect their DNS servers, and should consider using Anycast routing technology to avoid saturating individual attack targets.”
It has been awhile since we've seen these types of attacks make headlines, but make no mistake - the potential for them to occur is always there. Read the full "Q2 2017 Threat Report" for more details and insight.
The views expressed in this column do not necessarily reflect the views of Penton Media or The VAR Guy editorial staff.