The sound of silence
Enterprises pay a lot of money to consultancies like Deloitte to receive “best of breed” advise on cybersecurity strategy and implementation. What happens, then, when the people providing the expert advice become the victims of a cyber attack that targets sensitive client data? In the case of the Deloitte breach, we’re not just talking about personal data—email addresses, passwords, usernames. The incident, initially suspected nearly a year ago and disclosed this week, reportedly also revealed intellectual property (IP) of noteworthy clients. While we can assume that most U.S. citizens’ PII is internet accessible at this point in time, IP is another story; companies’ designs and architectural plans aren’t tossed around like people in the U.S. toss around their own identification information. Though both IP and PII have the potential to affect damage, the former is truly more secret than the latter.
Perhaps the lesson here—and there should always be a lesson to learn when a major company is breached—is that there are different categories of “sensitive” information. This is not a new lesson. Or a novel lesson. But data classification doesn’t get the attention it used to, possibly because it’s wily and complex.
In the case of the Deloitte breach, the sensitive information is said to have been contained in emails and stored in the company’s Azure cloud service. (To date, the company is not reporting whether the cloud was public, private, or hybrid.) Reasonably, one would think that highly sensitive information such as company designs warrant the highest level of protections, yet email has become the de facto method of business communication, regardless of topic and sensitivity. Whatever the security team says or does, however, employees are going to continue to exchange secret information via email.
This makes securing that highly sensitive information extremely difficult. Should security teams be inspecting every email employees send through the approved email client? Doing so, unfortunately, is a low return on investment. Depending on the size of the company, hundreds of thousands of emails might be exchanged every day, and many of them don’t include any information that would devastate the organization if publicly released.
As a category, though, emails should, perhaps, be treated with more sensitivity (because it would be next to impossible to classify each and every one). We know that employees email information they shouldn’t. We know this behavior isn’t going to stop. Therefore, how do we protect emails, in general, to ensure that sensitive information contained in any of them isn’t visible to unauthorized eyes?
For one thing, the contents of email should be encrypted. It’s likely that the emails, themselves, were encrypted when they were on the server. However, the emails were backed up to Azure and, while we don’t yet know for certain, it’s probable that the information at rest was stored unencrypted…otherwise this isn’t a particularly big story.
Another smoking gun in the Deloitte case is—once again—straightforward access to sensitive data. The Guardian reported on Monday that “The hacker compromised the firm’s global email server through an ‘administrator’s account’ that, in theory, gave them privileged, unrestricted ‘access to all areas.’ The account required only a single password and did not have ‘two-step’ verification, sources said.” Brian Krebs later reported that the breach affected “the entire email database and all admin accounts.” Further, according to Krebs’ source, a “mandatory password reset notice” was sent to all Deloitte employees in October 2016. While “strong password guidelines” are helpfully included in the notice, no mention is made of implementing an additional authentication factor. It seems this top advisor forgot to advise its own identity and access management policy on best practice.
Yet again we have a situation where an easy fix could have been implemented but security was eschewed in favor of convenience. Whatever other security protections Deloitte had in place, the ability for an attacker to gain access to its data using a verified username/password combination negated it all. As Darin Franklin, Head of Information Protection for Philips Lighting put it, “The problem with all of this is that humans are lazy. People don’t want to be inconvenienced by having to look up a one-time password. Apple, for instance, has done an amazing job with getting people to use a fingerprint as a second authentication factor, and the users don’t even realize it. That is the kind of creativity we need to drive adoption.” What Franklin is referring to, of course, is how Apple and other mobile device manufacturers have slipped biometric authentication into mainstream device usage. It’s easy, it improves security over the 4- or 6-digit PIN previously required, and most people probably don’t even realize they’re contributing to improved device security. Sly? Maybe. Subtle? Yes—and exactly the kind of thinking necessary to push forward more secure authentication and access practices.
Best case scenario, companies learn from this breach, institute policies, and implement controls that force all admin accounts to use (at least) two-factor authentication (2FA). While biometric authentication on laptops and desktops isn’t an imminent reality for most organizations yet, companies have the technological resources to require other forms of 2FA. The business cost to do so is low; the impact on business risk is great.
Attend InfoSec World Conference & Expo March 19-21, 2018 to learn more identity and access management and data protection best practices.