Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/19/2019
02:30 PM
Mike McKee
Mike McKee
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Case of the Missing Data

The latest twist in the Equifax breach has serious implications for organizations.

When the Equifax breach — one of the largest breaches of all time — went public nearly a year-and-a-half ago, it was widely assumed that the data had been stolen for nefarious financial purposes. But as the resulting frenzy of consumer credit freezes and monitoring programs spread, investigators who were tracking the breach behind the scenes made an interesting discovery.

The data had up and vanished.

This was surprising because if the data had, in fact, been stolen with the ultimate goal of committing financial fraud, experts would have expected it to be sold on the Dark Web. At the very least, they would have expected to see a wave of fraudulent credit transactions.

Nada.

CNBC recently published an article that takes an in-depth look at what exactly happened to the credit, Social Security, and other sensitive data of 143 million people after it was stolen. The deeper the threat hunters have gone down the rabbit hole of this story, the more convinced they have become that the motive was actually even more sinister than pure financial gain.

In essence, security experts most familiar with this breach believe that a nation-state — likely China or Russia — stole the data in order to suss out current spies and pick out potential targets they could recruit as spies.

It's the latter part that should concern organizations in the US and beyond. While the complex spy scheme sounds like something out of a movie, it actually has serious, real-world implications.

The Rise of State-Sponsored Threats 
State-sponsored threats are increasingly one of the biggest threats to information assets across the globe. Threat actors are increasingly targeting businesses, universities, and other organizations with powerful and sophisticated trade-craft techniques designed to steal confidential information that can result in massive data and revenue loss.

People have many different motives to spy on behalf of a foreign government. The vast majority of nefarious insiders are acting on financial greed, but other motivations include, anger, ideology, patriotism, and organizational conflicts. The news has been flooded about employees convicted for working on behalf of a foreign government. Most recently, Chinese-born scientist You Xiaorong was accused of using her employment at Coca-Cola to steal trade secrets, with the intent to set up a competing venture in China and win a reward from a Chinese government-backed program. Apple also has come under fire, with two employees charged with stealing self-driving car project secrets in the past year.

Power-hungry executives are a major target for state-sponsored recuitment, along with those who may be suffering from financial problems. These executives can be lured into revealing secrets in return for money or power – from credentials to highly confidential documents and trade secrets. If nation-state spies have enough information to identify potential financial instability, they can determine the best targets to identify as spies, especially individuals they can convert for monetary gain.  

Are There Spies in Your Organization?  
As more employees become the targets for spy recruitment, it is more important than ever for businesses to quickly defend themselves before it is too late.

However, the reality is that most organizations do not have much visibility into what their employees and other insiders are doing with valuable company data. One study found that 42% of organizations rely on server logs to detect threats. These are very difficult to parse and rarely provide sufficient context to indicate that an employee may be conducting nefarious activity. The study also found only about a quarter of organizations are using keylogging or session recording, while 8% admit they have zero visibility whatsoever into all employee activity.

These gaps can leave organizations open to some major risks. Criminal insider incidents can have serious financial repercussions – to the tune of an average annualized cost of $2.99 million, according to a recent Ponemon report. Many organizations simply can't recover from the financial loss and reputational damage that an insider incident can bring.

Security teams' lack of visibility into insiders’ actions also poses a massive security risk to organizations. With the Equifax breach's true implications becoming increasingly clear, it has never been more important to understand what actions users are taking related to sensitive corporate data and systems. In particular, organizations should aim to gain visibility into all employee activities, especially when they are related to:

  • Unauthorized cloud storage or large file-sending sites
  • Disposable or temporary email clients
  • USB storage devices and other removable media
  • Copy/pasting, cut/copying, and large print jobs

These are just a few examples of user activities that, when put into context with the specific types of data in play and other factors, can shed valuable light on potential malicious employee activity.

Given the likelihood that we will see some major spy-recruitment efforts take place over the coming years, any business that stores or handles sensitive data should have full visibility into exactly how all employees are using organizational data. It might sound like the plot for a good movie, but when it's valuable company or customer data on the line, the ending could be very unpleasant.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Mike McKee brings 20-plus years of cross-functional, global experience in technology to ObserveIT. Previously, he led the award-winning Global Services and Customer Success organizations at Rapid7, served as senior vice president, CAD Operations and Strategy, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.