2016 saw several high profile cyber-attacks, which resulted in costly breaches and damages to reputable companies and corporations. There have been several discussions in how to effectively preempt such cyber-attacks with solutions ranging from firewalls, endpoint device security, to network access management solutions.
Mindful that many industries maintain tough regulatory standards, companies are now required to implement automated systems to keep up with reporting, while also preventing breaches. The “Compliance as a Strategy for Business Success eBook” covers the key points that need to be considered when trying to achieve security compliance for regulations like SOX, HIPAA, PCI-DSS, FISMA, and GLBA. For instance, any company that stores, processes, or transmits cardholder data, must be PCI-DSS compliant. Compliance includes restricting access by what businesses need to know, creating processes to provide user access to system components, initialization of audit blogs, and more. However, these processes come with significant cyber risk.
If the cyber-assaulted companies had stronger foundations for compliance, they would not have needed to devise new and expensive technologies.
The Importance of Visibility to Achieve Compliance
When Yahoo Got Stuffed
Yahoo is no stranger to breaches. This past year it came to light that nearly 1 billion Yahoo accounts had been compromised between 2013-2015. How did this happen and what could have been done to mitigate or even prevent the hacks all together?
This was a type of mass-scale brute force attack called “cyber stuffing” which took advantage of previously hacked credentials by inserting them into random websites via automation until they found a match. Automation allowed this attack to be conducted quickly and more often than not, completely anonymously. Shuman Ghosemajumder, CTO of Shape Security, found that credential stuffing is successful in 0.1-2% of attempts and considering that many people reuse passwords across a range of websites, it can be damaging. This is especially concerning because as a publicly tradable company Yahoo is subject to SOX compliance, which was designed to protect data integrity via compliance.
If Yahoo had implemented an intelligence engine to provide admins with wider and deeper visibility of their network in real time, they would have better understood the warning signs presented in 2008 by Carnegie Mellon University’s Software Engineering Institute. The institute urged Yahoo to replace their encryption technology, MD5, which was considered cryptographically broken. Despite years of warning before the major hacks of 2013-15, Yahoo never brought the encryption up to date, because they lacked visibility and oversight.
The Ghost of Bangladesh Central Bank
In February of 2016, $81million disappeared from Bangladesh Central Bank and was subsequently laundered in casinos throughout the Philippines. Cyber criminals used bank employees’ stolen Society for Worldwide Interbank Financial Telecommunication (SWIFT) credentials to send dozens of fake money transfer requests to the NY Federal Reserve, requesting a total of a $1 billion to be transferred to various bank accounts that had been set up a year earlier in Asia. While most the requests were blocked, $81 million was released in four transfers of about $20 million each. So how was the heist pulled off and what could have been done to stop it?
The hackers implanted malware on end-point devices on the bank’s network, which prevented the automatic printing of SWIFT transactions. This undoubtedly, brought the bank into conflict with GLBA, which demands financial institutions to protect data. Both the bank and the Federal Authorities are playing the blame game. The Feds claim they followed protocol which permitted several transfers, while blocking dozens of others. There is no doubt that lack of end-point visibility and virus protection were massive issues here. The theft could have been avoided if both the bank and the Feds had total control over all network infrastructure.
To become security compliant and run the business successfully, companies need visibility on what is happening on the network. In other words, what devices are connected to the network, when they connected, what OS, applications and services they are running, who has access to what data, and proof that mechanisms to secure private data are operational. Without visibility into what is on the network, it’s impossible to control the network and ensure compliance. Check out our “Compliance as a Strategy for Business Success eBook” to grow a successful and secure business.