According to Gemalto’s 2018 Breach Level Index, 291 data records were compromised every second in the first half of 2018. Two years, later we continue to be victimised directly or indirectly.
3.2 billion records of emails and passwords have been advertised for sale online. Labelled as Combination of Many Breaches (COMB), it is not a single breach but a combination of many breaches pooled into one.
FutureCIO approached three experts for their view on the topic: Boris Cipot, Senior Security Engineer, Synopsys Software Integrity Group; Matias Woloski, co-founder and CTO of Auth0, and Simon Piff, Vice President for Security Practice research at IDC Asia/Pacific.
What is driving the rise (3.2 billion emails and passwords breach)?
Boris Cipot: While it’s hard to pinpoint exactly what’s driving the rise, a few likely suspects could include users neglecting to update impacted passwords, password re-use across platforms, and poor password hygiene in general. If a hacked password is used across multiple platforms, that can provide potential access to hackers.
We’ve seen instances where user databases have been breached due to misconfigured/unprotected S3 buckets—thus, offering easy access to cyber-attackers. There have been many instances of unprotected servers or exposed elements within the software supply chain leading to data breaches. There have also been cases in which a default root password was used for servers, allowing remote access by hackers via the internet.
Matias Woloski: “Compilation of Many Breaches (COMB) is not a new breach but is making headlines because of its size. Three billion email addresses and passwords all available for anyone to use in credential stuffing attacks.
Simon Piff: Behind this are the organizations that focus on stealing this data. I say “organization” because all too often its forgotten that cybercrime is organised crime. The “businesses” are well funded, use the latest AI technology, rent “malware-as-a-service” – indeed its well known that the organization that launch ransomware attacks have usually bought said ransomware form a 3rd party.
In the face of such organized, well-funded attacks even the most tech-savvy organization is challenged to not only stop the breach but to even identify a breach is underway. Think about the recent SolarWinds hack, FireEye the security firm started noticing “something was wrong” on their systems and interrogated them to unearth this hack.
They did not have alarm bells ringing and lights flashing the moment the hacker gained system access, because it was discrete, possibly even using a legitimate password. Which is the goal many of these hacks.
Armed with legitimate credentials the criminal can access a wide range of information, systems, money, with impunity because they are using legitimate credentials – the perfect crime is a crime nobody is even aware of – I dread to think how many we are not aware of that have already taken place or are taking place right now!
What are enterprises doing wrong?
Boris Cipot: These are only a few examples of what may be leading to the substantial COMB volume. The constant growth of technology and various service offerings are opening many doors to hackers and presenting many opportunities to welcome in cyber-attackers if manufacturers, organisations and users aren’t careful.
Matias Woloski: “When these kinds of breaches occur, the message is always the same: use unique passwords, change your passwords and use a password manager. However, every year we see another study showing that people aren’t listening.
Reusing the same passwords is still a common practice. There are two truths here that we need to accept: we’re never going to prevent all data breaches, and the password hygiene message isn’t getting through.
Simon Piff: Aside from not funding cyber security in a strategic manner (it has all mostly been built up piecemeal and pulling off a strategic upgrade won’t win board or shareholder support, before a hack) a concrete part of the issue is the current psychology around cyber security – that the tools used by defenders, the processes undertaken and full disclosure of how a breach takes places is, today, considered a secret.
Enterprises don’t share which vendors they use, how they are deployed or what they do in the event of a hack – and yet all enterprises use basically the same tools in the same manner and react the same way. Critically, enterprises don’t fully disclose how they are breached, and then rarely if ever share this information, information which could arm many other enterprises with the knowledge they need to defend themselves.
Consider the aftermath of the Sing Health hack a few years back. Whilst we heard about mysterious keystroke monitoring software, it was the observations of a database administrator (which admittedly were not immediately acted upon) that helped surface the attack. As soon as this became public knowledge, I guarantee that all database admins and their bosses were told to alert senior management about unexpected activity, and to escalate sooner rather than later.
But this is not “typical” cyber security information, this more about IT hygiene that leads to increased cyber security. Until enterprises start sharing how hacks occur, or even better, how they were able to deflect or defend, then we will never get ahead here.
Steps to fix or minimise the problem?
Boris Cipot: To minimise the risk of a breach from the business perspective, organisations need to ensure they have security policies and procedures established. Know what types of services and devices are running, which are internal and which are external, and segment those services appropriately.
Network segmentation and user segmentation is one strategy to better mitigate risk. User roles and access rights need to be defined. In case a malicious actor gains access to a user’s account, they then only have access to the privileges of the user and cannot access rights that are reserved only for higher privileged users.
It is also of great importance for organisations to know exactly what hardware and software hare being used in their environments—be it proprietary or open source. A clear view into this inventory also gives you a clear view of the risk and necessary patches that need to be applied. Similarly, organisations need to have a clear view of their vendors’ security stance; software supply chains are a common attack vector that must be accounted for with regards to cybersecurity.
Matias Woloski: Businesses now need to force the issue to protect themselves and their customers. Authentication is much more than an email and password combination. One Time Passcodes and biometric security are mainstays of multifactor authentication, but consumer-facing businesses have often avoided them. The fear is that they add friction to the customer journey.
Adaptive technologies are the solution. They’re designed to introduce friction only when necessary, without impacting the customer experience. These technologies can determine whether a customer is legit based on a series of clues that determine an overall risk score. Logging in from London and five minutes later from Singapore? Red flag. Use a password that was stolen in a recent data breach? Red flag. These red flags make Adaptive Multi-Factor Authentication trigger an additional layer of security to verify your digital identity.
We need to see technology adapt to humans, not the other way around. Expecting people to remember a random string of numbers and letters is unrealistic. But we’re all expected to use passwords. Passwords will eventually go away in favour of passwordless alternatives, driven by the adoption of the WebAuthn standard. Businesses need to prepare for that transition. In the meantime, companies need to combine passwords with additional factors presented only when needed (i.e., adaptive), to avoid introducing more friction to users.
Simon Piff: This is an opportunity for government to step in and make full disclosure mandatory. Furthermore, this information should reside in a trusted archive and alerts issued when new attack identification procedures occur. Most countries have a CERT that notifies about threats, but what about notifying about potential, shall we use the term, inoculation? It may not protect you totally but will certainly boost your immune system! Right now, legislation does nothing to encourage enterprises to declare a hack has taken place, indeed it is one of the few instances where the victim pays the fine. This must change.
Full disclosure will alert the authorities to the degree of investment that was made to thwart the attacker and then if an enterprise is found lacking, a proportionately suitable fine can be levied. Those that invest smarter (IDC has research that indicates it is not just the size of the investment, but how it is used, that leads to lowering a risk profile) will both receive fewer threats, but also a lower fine than those that have under-invested or tried to hide the hack.
