What keeps executives up at night? According to the World Economic Forum’s (WEF) 2019 Executive Opinion Survey, it’s cyberattacks. When reflecting on 2019, it’s clear why that is. From healthcare and insurance to manufacturing and telecommunications, cybercriminals spared no industry from their schemes, with a few key verticals bearing the brunt of this year’s attacks. It comes as no surprise that financial services, insurance, and healthcare were popular targets, given their proximity to sensitive, easily-monetizable data. A little more surprising, however, is the similarities between breaches across industries and organizations. Below, I’ll recap notable incidents from 2019, expand upon their commonalities, and explore a few lessons to learn as we enter a new year.
Different Industries, Same Causes
Although cybersecurity incidents rarely stem from one failure entirely, a few central causes and trends appeared throughout 2019.
Application misconfigurations were responsible for two of 2019’s most prominent data breaches. In the largest hack of the year, a former AWS employee exploited a misconfigured Web Application Firewall (WAF) to steal the Social Security numbers, bank account numbers, and other sensitive information of more than 100 million Capital One customers and credit card applicants. Initially labeled an insider attack due to Capital One hosting their data on Amazon servers, the breach was instead the result of the WAF receiving too many permissions, which enabled the malicious actor to access a back-end resource responsible for handing out access credentials. Although the information stolen was most likely neither shared nor used fraudulently, Capital One estimates the incident will cost the company over $300 million.
First American Financial Corporation fell prey to an even simpler misconfiguration in what was less a hack than outright negligence. A mistake in the company’s online customer portal enabled anyone with the URL of a valid First American document to modify a number in the existing URL to view other sensitive documents. A staggering 885 million customer financial records going back to 2003 were accessible because of this design defect. And while there is no evidence anyone actually found or stole the information, First American now faces both government investigations and a class-action lawsuit.
Exploiting Third-Party Access
Organizations must, of course, pay close attention to their own cybersecurity preparation, but in today’s hyperconnected digital world, they must also holistically audit the third parties they interact with as well. In 2019, both Quest Diagnostics and Sprint failed to conduct this due diligence. Quest, which is among the world’s largest clinical laboratories, exposed the personal information, including credit card numbers and Social Security numbers, of more than 11.9 million patients via a breach that originated from AMCA, an outside billing collections agency. To make matter’s worse, AMCA didn’t detect the vulnerability for almost a full year, allowing the attacker to slowly drain information from AMCA affiliates and ultimately forcing AMCA’s parent company into bankruptcy. Though Quest escaped such a dramatic fate, it is the subject of both government investigation and a class-action lawsuit.
Sprint faced a similar scenario this year when hackers accessed customer data through a vulnerability in a Samsung website. Samsung and Sprint are connected digitally to enable customers to finance Samsung phones through a carrier deal with Sprint, an arrangement that benefits their customers but also creates another threat vector to defend against. And though the exact name of Samsung’s vulnerability is unclear, this incident is further evidence of the need to protect oneself by choosing partners carefully.
Lack of Appropriate Authentication/Credentials for Sensitive Data
This third trend could apply to nearly every breach in this post, but it’s the central cause of at least two significant 2019 cybersecurity incidents. In August of this year, State Farm was hit with a credential stuffing attack in which attackers leveraged usernames and passwords from other data breaches to log in to other accounts and sites. Because people often use the same passwords for multiple accounts, credential stuffing is an effective tactic and one used in a second hacking of Sprint through its Boost Mobile subsidiary. In that case, an unauthorized person used Boost numbers and PIN codes to break into an unknown number of customer accounts.
Key Actions to Take in 2020
If cybersecurity is to improve in 2020, these mistakes must be prevented and vulnerabilities like the ones mentioned above must be addressed. That starts with companies having a better understanding of the access controls, technologies, and systems that are currently deployed. With that understanding, they can plug gaps and utilize the technology most appropriate to their situation, helping them to avoid a situation like First American’s, in which data was readily available online without restriction. For many, especially those interfacing with outside vendors, a zero trust model makes sense because it continuously monitors and authenticates access requests. Under zero trust, for example, the Quest Diagnostics hack would have likely been detected within days, not months.
Even without zero trust, however, continuous and automated monitoring is critical. With that in place, security teams are alerted of attacks such as credential stuffing as they occur and can respond before the attacker is successful. For a more proactive approach, IT security should also implement policies that, for example, prevent one person or IP from submitting multiple login requests or require re-authentication to access different applications.
In addition to auditing themselves and taking the actions described above, organizations must also audit the security controls of their partners to ensure they deploy layers of control and multi-protocol defenses. This means that they have overlapping layers of defense—for example, continuous monitoring and multi-factor authentication—that create redundancy and depth across their environment.
Ultimately, the goal is to act immediately upon security alerts—no matter where they stem from—in order to contain and remediate threats in a timely manner. That means visibility and integration are critical to avoid delays from validating alerts and pivoting between disparate tools. When McAfee MVISION EDR, for example, finds a threat using its artificial intelligence-driven detection capabilities, it immediately elevates an alert to all systems and individuals involved, not just McAfee-built technology. Similarly, MVISION Cloud leverages machine learning to identify suspicious behavior and access requests. This type of automated detection, investigation, and notification could easily be the difference between an isolated breach remediated in hours and a system-wide catastrophe spread over several weeks or months.
Shailaja Shankar, McAfee