Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/19/2019
02:30 PM
Mike McKee
Mike McKee
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Case of the Missing Data

The latest twist in the Equifax breach has serious implications for organizations.

When the Equifax breach — one of the largest breaches of all time — went public nearly a year-and-a-half ago, it was widely assumed that the data had been stolen for nefarious financial purposes. But as the resulting frenzy of consumer credit freezes and monitoring programs spread, investigators who were tracking the breach behind the scenes made an interesting discovery.

The data had up and vanished.

This was surprising because if the data had, in fact, been stolen with the ultimate goal of committing financial fraud, experts would have expected it to be sold on the Dark Web. At the very least, they would have expected to see a wave of fraudulent credit transactions.

Nada.

CNBC recently published an article that takes an in-depth look at what exactly happened to the credit, Social Security, and other sensitive data of 143 million people after it was stolen. The deeper the threat hunters have gone down the rabbit hole of this story, the more convinced they have become that the motive was actually even more sinister than pure financial gain.

In essence, security experts most familiar with this breach believe that a nation-state — likely China or Russia — stole the data in order to suss out current spies and pick out potential targets they could recruit as spies.

It's the latter part that should concern organizations in the US and beyond. While the complex spy scheme sounds like something out of a movie, it actually has serious, real-world implications.

The Rise of State-Sponsored Threats 
State-sponsored threats are increasingly one of the biggest threats to information assets across the globe. Threat actors are increasingly targeting businesses, universities, and other organizations with powerful and sophisticated trade-craft techniques designed to steal confidential information that can result in massive data and revenue loss.

People have many different motives to spy on behalf of a foreign government. The vast majority of nefarious insiders are acting on financial greed, but other motivations include, anger, ideology, patriotism, and organizational conflicts. The news has been flooded about employees convicted for working on behalf of a foreign government. Most recently, Chinese-born scientist You Xiaorong was accused of using her employment at Coca-Cola to steal trade secrets, with the intent to set up a competing venture in China and win a reward from a Chinese government-backed program. Apple also has come under fire, with two employees charged with stealing self-driving car project secrets in the past year.

Power-hungry executives are a major target for state-sponsored recuitment, along with those who may be suffering from financial problems. These executives can be lured into revealing secrets in return for money or power – from credentials to highly confidential documents and trade secrets. If nation-state spies have enough information to identify potential financial instability, they can determine the best targets to identify as spies, especially individuals they can convert for monetary gain.  

Are There Spies in Your Organization?  
As more employees become the targets for spy recruitment, it is more important than ever for businesses to quickly defend themselves before it is too late.

However, the reality is that most organizations do not have much visibility into what their employees and other insiders are doing with valuable company data. One study found that 42% of organizations rely on server logs to detect threats. These are very difficult to parse and rarely provide sufficient context to indicate that an employee may be conducting nefarious activity. The study also found only about a quarter of organizations are using keylogging or session recording, while 8% admit they have zero visibility whatsoever into all employee activity.

These gaps can leave organizations open to some major risks. Criminal insider incidents can have serious financial repercussions – to the tune of an average annualized cost of $2.99 million, according to a recent Ponemon report. Many organizations simply can't recover from the financial loss and reputational damage that an insider incident can bring.

Security teams' lack of visibility into insiders’ actions also poses a massive security risk to organizations. With the Equifax breach's true implications becoming increasingly clear, it has never been more important to understand what actions users are taking related to sensitive corporate data and systems. In particular, organizations should aim to gain visibility into all employee activities, especially when they are related to:

  • Unauthorized cloud storage or large file-sending sites
  • Disposable or temporary email clients
  • USB storage devices and other removable media
  • Copy/pasting, cut/copying, and large print jobs

These are just a few examples of user activities that, when put into context with the specific types of data in play and other factors, can shed valuable light on potential malicious employee activity.

Given the likelihood that we will see some major spy-recruitment efforts take place over the coming years, any business that stores or handles sensitive data should have full visibility into exactly how all employees are using organizational data. It might sound like the plot for a good movie, but when it's valuable company or customer data on the line, the ending could be very unpleasant.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Mike McKee brings 20-plus years of cross-functional, global experience in technology to ObserveIT. Previously, he led the award-winning Global Services and Customer Success organizations at Rapid7, served as senior vice president, CAD Operations and Strategy, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
CVE-2019-16307
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
CVE-2019-16294
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
CVE-2019-16309
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.