Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/13/2019
01:30 PM
Steve Zurier
Steve Zurier
Slideshows
Connect Directly
Twitter
RSS
E-Mail

6 Questions to Ask Once You’ve Learned of a Breach

With GDPR enacted and the California Consumer Privacy Act on the near horizon, companies have to sharpen up their responses. Start by asking these six questions.
5 of 7

4. Does the threat actor still have access to our IT environment? 
So you're well into the process and even have determined how the attacker got in; now it's time to find out if the attacker still has access and how are they maintaining access, says FireEye Mandiant's Carmakal. For example, the attackers may have installed a persistent backdoor, may be leveraging the company's VPN, or may have credentials for user accounts with privileged access.

FireEye Mandiant's Carmakal says threat actors take advantage of both privileged and non-privileged accounts. Privileged accounts often undergo less scrutiny by security teams. But Shay Nahari, who heads red-team services for CyberArk, points out that infiltrating privileged accounts gives attackers access to sensitive resources and databases, a good reason to focus in on managing those accounts.

Image Source: Adobe Stock: Sergey Ksenofontov

4. Does the threat actor still have access to our IT environment?

So you're well into the process and even have determined how the attacker got in; now it's time to find out if the attacker still has access and how are they maintaining access, says FireEye Mandiant's Carmakal. For example, the attackers may have installed a persistent backdoor, may be leveraging the company's VPN, or may have credentials for user accounts with privileged access.

FireEye Mandiant's Carmakal says threat actors take advantage of both privileged and non-privileged accounts. Privileged accounts often undergo less scrutiny by security teams. But Shay Nahari, who heads red-team services for CyberArk, points out that infiltrating privileged accounts gives attackers access to sensitive resources and databases, a good reason to focus in on managing those accounts.

Image Source: Adobe Stock: Sergey Ksenofontov

5 of 7
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
9/16/2019 | 3:22:27 PM
Nouns
Words are important and ages ago Cliff Stoll wrote an engaging book THE CUCKOO'S NEST which should be required reading for any cyber pro.  In this book, at one point, he was asked by the FBI to define the threat and theft.  Their language was proper and mild and I think this is so here...

Threat Actor?  No - how about Bald Faced Criminal

Ongoing?  No, how about barn door still unlocked?

Data theft?  No, how above did they empty Fort Knox.

Ongoing?  No, are the black trucks still at the docking back.

Restoration protocol?  No, are we still screwed in putting shit back-together?

Don't have a plan?  are we then up Schitt's creek with no paddle or boat? 

I noticed that responsibility for defense was not mentioned?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19729
PUBLISHED: 2019-12-11
An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects _bsontype==ObjectID in the user-inpu...
CVE-2019-19373
PUBLISHED: 2019-12-11
An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parame...
CVE-2019-19374
PUBLISHED: 2019-12-11
An issue was discovered in core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can delete arbitrary files from the se...
CVE-2014-7257
PUBLISHED: 2019-12-11
SQL injection vulnerability in DBD::PgPP 0.05 and earlier
CVE-2013-4303
PUBLISHED: 2019-12-11
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-s...