My colleague, 1Password Senior Security Specialist (and all round stand-up guy) Chris Butler, and I recently chatted about a trend that’s emerged over the past few years: attempts to capitalize on cybersecurity incidents through self-promotion.
Chris drew an interesting comparison: “Data breaches are similar to car accidents in some ways. And members of the security industry are like the first responders.”
Just like highway traffic slows after a collision so drivers can sneak a peek at the damage, all eyes (and minds) are on cybersecurity after a breach. That period of heightened interest and awareness is the ideal time to share information, insight, and instruction.
Rather than take to social media and other platforms to essentially shame the affected business and fearmonger others, we should shout about how similar attacks can be prevented.
And our industry needs to lead the charge.
Say it loud
Imagine someone could perform a basic Google search and locate a tool that scans your network and identifies IP addresses that lead to unprotected routers. For IT admins and security professionals, it’s the stuff of nightmares.
That’s exactly what happened in August 2021 when a hacker targeted the network of the second-largest mobile provider in the United States. He ultimately gained access to the names, driver’s license numbers, Social Security numbers, and unique device identifiers of more than 50 million current and former T-Mobile customers.
To prevent a compromise like this, we’d advise companies to:
- Have a standard of hardening for endpoints, network devices, and services so they’re not used without a hardening process.
- Recognize the importance of data governance and retention policies. Eternal storage of information may seem appealing but it exponentially increases what might be disclosed in a breach.
Rule of thumb: If information isn’t required, get rid of it.
Ride-share pioneer Uber announced a number of its internal systems had been compromised about 13 months later. The cyberattack was engineered by an 18-year-old who used a combination of credential theft and something called multi-factor authentication fatigue to gain access to a contractor’s Slack account. That access was used to obtain elevated permissions to other services.
After an incident of this kind, we’d recommend you:
- Use only time-based one-time passwords (TOTP) or FIDO universal second factor (U2F) methods. FIDO U2F keys may not be the easiest option but Cloudflare provides a recent example of their efficacy.
Audit and improve internal processes and controls with the tools you already have — it can make all the difference.
Nine days after the Uber incident, cybersecurity researchers discovered Microsoft had inadvertently exposed the names and contact information of various business customers and prospects, along with transactional email content and documents. The researchers detected the data leak with a proprietary technology that monitors public buckets (cloud storage) for confidential information; they traced the data back to a misconfigured internet-accessible server maintained by the largest computer software vendor in the world.
To prevent a similar event:
- Use an infrastructure-as-code system, like Terraform or Ansible, that allows you to program (in a sense) the system you want to build.
- After code is written, it should be thoroughly reviewed to make sure the bucket is properly configured.
Think like an attacker: Scan your infrastructure for vulnerabilities.
I’ve focused on a few recent high-profile incidents but there were breaches before, between, and after the ones named here — and there will be more in the (probably near) future.
As Chris said about the security industry as first responders: “[We need to] assess the breach report, praise transparency, speak honestly about the implications, and put out a message of practical advice for improvement.
“These steps might sell fewer products, but they force us to focus on those impacted, and how our industry can continue to build tools that protect people, companies, and their respective data.”
I should take a moment to clarify my position: Cybersecurity is a business and, yes, businesses need to make money to survive — that money is the reason you and I can support ourselves. After a public incident, nearly every tech organization will (and should) have something to say to generate interest in its own brand. It’s what we, as members of the tech industry, choose to post and publish that speaks volumes.
Chasing rainbows
The English language has more than its fair share of idioms. Piece of cake, cold turkey, when pigs fly, Netflix and… you get the idea. One particular expression came to mind as I wrote this article.
To chase rainbows means to pursue unrealistic or impossible goals. A world without data breaches is our rainbow.
But it’s not about perfection or hitting the bullseye every single time — it’s about aiming for it. We1 can strive for the ideal and fall short because we’ll land on better (and lead by example along the way).
Let’s be educators and teach people about emerging threats and how to guard themselves and their organizations against those threats.
Let’s be activists and raise awareness of incident fallout and what real (easy-to-follow, free-of-charge) actions people can take to safeguard their businesses and confidential information.
Let’s beat the attackers and shift security left; secure endpoints, create and enforce strict data policies, and employ protection methods that aren’t susceptible to fatigue. Proactive security is everything.
Let’s shoot for the moon and fall among the stars.
Or rainbows.
An all-inclusive term. 1Password strives to be a great example but is an organization (proudly) run by real humans and, therefore, perfectly imperfect. ↩︎
Megan Barker
Security Scribbler
Tweet about this post