Tag Archive for: breach

Codecov Breach

OVERVIEW | Codecov Breach

Supply chain attacks are far from new. We previously covered the SolarWinds attack, which may be the biggest software supply chain attack disclosed, as well as the most damaging supply chain attack to users. In more recent news, a new cyber-attack similar to the SolarWinds attack was discovered on a software testing platform – Codecov, which is a supplier of code management and audit solutions.

Codecov first discovered the attack on April 1st, disclosing this to the public on April 15th. However, investigations into the attack suggest that it first occurred months earlier, possibly as far back as January 31st, yet went unnoticed for several months. The adversary was able to gain access to Codecov’s Bash Uploader script using credentials stolen by exploiting an error in Codecov’s Docker image creation process. The adversary then replaced Codecov’s IP address within the Bash Uploader script to the adversary’s own IP address, rerouting the data to send information to the adversary instead of Codecov.

The altered version of the Bash Uploader script could potentially affect the following references from Codecov:

  • Any credentials, tokens, or keys that were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
  • Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
  • The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.

Moving Forward

Proficio’s Threat Intelligence Team has been diligently researching the attack and how it may have affected our clients. There will be a continuous and ongoing effort to help ensure that all our clients are not being compromised by this campaign, through the following:

  • Gathering of IOCs and TTPs of the attack
    • Although no IP addresses of the third-party servers were disclosed to the public, our team is currently researching on the TTPs to potentially identify traffic on data exfiltration attempt
  • Performing threat hunting on potential exfiltration of data associated with campaign against our client SIEMs for the past three months
  • Documenting and investigating any potential incidents
  • Providing updates of threat hunting results to all Client Success Manager and Security Advisors, so they can alert clients, as applicable

General Recommendations

Given that the breach is newly discovered, there is still a lot of uncertainty as to how much damage it can bring to victim systems. As such, we always recommend our clients to keep the systems, and in this case, the scripts patched and up to date.

Clients that utilize Codecov as a service are strongly advised to run through Codecov’s recommendation and guidelines. For any Proficio clients who are unsure about logs investigations, please reach out to your assigned Client Success Manager or Security Advisors for the next steps.

Reference link

  • https://about.codecov.io/security-update/
  • https://www.bleepingcomputer.com/news/security/hundreds-of-networks-reportedly-hacked-in-codecov-supply-chain-attack/
  • https://www.reuters.com/technology/us-investigators-probing-breach-san-francisco-code-testing-company-firm-2021-04-16/
  • https://www.reuters.com/technology/codecov-hackers-breached-hundreds-restricted-customer-sites-sources-2021-04-19/
  • https://www.zdnet.com/article/codecov-breach-impacted-hundreds-of-customer-networks/
  • https://latesthackingnews.com/2021/04/26/codecov-breach-following-supply-chain-attack-affected-hundreds-of-networks/

Takeaways from the 2019 Data Breach Investigations Report

The 2019 Data Breach Investigations Report was released in December and highlights the many aspects of data breaches and frequency of their occurrence. In review, we find this gives us a great opportunity to reflect on what security teams should focus on in 2020.

The Attackers

According the report, about 1/3 of attacks originate from insiders and 2/3 are from outsiders. Over half of the attacks from outsiders were from groups with criminal motivations who were trying to steal intellectual property or access someone’s personal information to sell or hold for ransom. Unsurprisingly, C-Level Executives were 12 times more likely the target of an attack.

Proficio Recommendations:

  • Strong perimeter security is essential – without this, you leave your organization vulnerable to outsiders. Security defenses should include cloud, email and web filters.
  • Organizations must understand the business context of their assets. By categorizing valuable assets in your organization, you can provide them a higher level of protection and detection.
  • Don’t forget to monitor internal users, actions across the core, and internal applications; these are common areas where you can catch suspicious behavior.

The Attacks

There was a notable increase in targeting cloud-based email like Office365, which is something many organizations use. Over a fourth of attacks involved malware – 24% were ransomware – which infects endpoints that are vulnerable and accessible to the malware. Errors were the root cause of 1/5 breaches and 71% were financially motivated.

Proficio Recommendations:

  • Make sure you have a wide range of advanced use cases for detecting attacks and compromises of O365 and other mail servers.
  • More than 70% of attacks come from different attack vectors – don’t forget you need to protect more than just the endpoint.
  • The best prevention for ransomware is to not allow malware on the endpoints:
    • Perform continuous vulnerability monitoring with cloud agents and patch regularly.
    • Monitor and respond to suspicious email or web connects.
    • Deploy next-generation endpoint software with behavioral analysis.
  • Mitigate risk by using Risk-Based Vulnerability Management and monitoring and evaluating security control configurations mapped to benchmarks like CIS

The Victims

Companies of all sizes including large and small are getting breached, with over 40% of breaches involving small businesses. Some of the most popular industries to target remain the same: Public Sector, Healthcare, and Financial.

Mobile users are even more susceptible to being attacked often by email-based spear phishing or social media attacks.

Proficio Recommendations:

  • Regardless of your size or industry, you could be the target of a data breach. Make sure cybersecurity is a priority and you have protections in place.
  • Create and implement security procedures around mobile devices.

The Hacks

The most popular methods used by hackers are often Command and Control or Brute Force Attacks. However, exploiting known vulnerabilities or using stolen credentials or social attacks on senior-level executives are also frequently used to gain access.

Proficio Recommendations:

  • Have settings in place to detect suspicious behavior of users or devices.
  • Use frameworks like MITRE ATT&CK to detect and respond to tactics, techniques, and procedures.
  • Keep vigilant and maintain strong passwords to avoid credential theft; also monitor admin and system credentials.
  • Test and patch for vulnerabilities often.

The Breaches

More than half the time, breaches took months or longer to discover, reminding us that many organizations still lack visibility into actual breaches themselves. The top threat vector is web applications, but remote desktop and TeamViewer applications are seen as easy targets. Hackers are also still gaining access to through VPN.

While cybercriminals are looking for a quick victory, they often go through multiple steps before breaching data. This number is decreasing though, and the time from an attacker’s first action in an event chain to the initial compromise is typically measured in minutes.

Proficio Recommendations:

  • Put in place WAF control and monitoring of WAF and web server logs.
  • Actively monitor and investigate suspicious events 24×7 with advanced tools and SOC staff.
  • Orchestrate and automate containment response to occur within minutes of an attack.
  • Perform discovery of the techniques and tactics used.
  • Collect metrics data on your operations team including: Time to Detect, Contain, and Remediate

Manage and Understand Risk

It is often said that it is no longer a question of if an organization will experience a data breach, but when. The report underscores this theory, and reminds us that people, platforms, and applications are still vulnerable to attacks; there is no room for complacency.

Given this reality, we recommend IT leaders strive to understand the cyber risk facing their organizations. Proficio provides our clients with cyber business intelligence and comparative risk data that allows them to see trends in attack volume and type, as well as gaps in their security controls and compare this to peers in their industry. Having this information is a critical step toward funding a strategic response to cyber risk and a first step towards a comprehensive cybersecurity plan.


Contact us to find out how Proficio can help with your security initiatives.

What Companies Can Learn from the SEC Breach

Another day and unfortunately, another high-profile cybersecurity hack is in the news. This time, it happened at the Securities and Exchange Commission (SEC).

On September 20, SEC officials said the agency, which regulates the United States markets and protects investors, had a security breach in 2016 that affected the electronic storing system which houses public-company filings. The hackers who accessed the SEC records may have conducted stock market trades on the stolen information, officials said.  

From WannaCry to Petya and Equifax and now the SEC, it seems like breaches are becoming commonplace and that cybersecurity is on the top of everyone’s mind. Referenced on social media channels as the #cyberattacksurge, we must ask what financial companies can do to better protect and prepare themselves from a potential cyberattack.

How Did This Breach Occur?

The data storing system that the SEC named “Edgar” (Electronic Data Gathering, Analysis and Retrieval System) is an online tool that investors use to view company’s earnings and disclosures. Companies can also purchase and then resell the feeds produced by Edgar to online traders as well.

The SEC revealed that the hackers found a vulnerability in the Edgar system through a data transmitting form. Few details were provided, except that the hack was detected in 2016 but evidence of illicit trading using the stolen information wasn’t discovered until August 2017.  An FBI investigation is underway and the SEC is cooperating with authorities.

Steve Groom, Director of Cyber Defense Services at Proficio, said the problem the SEC is facing is that the agency’s web application was compromised by either an SQL Injection or Cross Site Scripting. The real issue is more centered around web application scanning, code review and penetration testing.

Today’s web applications have moved from an agile development cycle to daily sprints, where they are making changes hour by hour or even day by day, Groom stated.

How to Build an Effective Cybersecurity Action Plan

Bryan Borra, SOC and SIEM Director at Proficio, said having an action plan in place to manage applications and services that are exposed to the internet is a critical piece to helping prevent an attack that is sourced against public-facing web applications.

“This breach occurred due to a vulnerability in a web application,” Borra said. “Web applications exposed to the internet are most vulnerable to attacks because a group of individuals from the outside can access them.”

Deploying an externally facing firewall change policy and relevant SIEM correlation use cases can help safeguard your network from attacks like those that broke into the SEC systems, Borra said.

Deploying an Externally Facing Firewall Change Policy

Not all firewall changes are equal in risk and some of the riskiest changes are what you allow inbound to your network, Borra cautioned. Some enterprises have deployed special procedures that treat firewall changes that open a port or system to the outside differently than other firewall changes.

For example, if a web server is stood up and the system owner requests the system be accessible to the internet, a request will be forwarded to the information security team to approve the change. The information security team will then assess the change and approve or disapprove based on criteria documented in the policy, Borra said.

Common evaluation criteria in this policy could be:

  1. The Information Security Team performs a vulnerability scan against the system and have the system owner remediate all vulnerabilities that are interpreted as “critical” or “serious” or above a certain priority level before the system can be placed on the internet.
  2. Assess “least privilege” and attempt to limit the ports and subnets within the change to only what is needed.
  3. Place the system in a specific zone such as a DMZ based on its function.
  4. Make sure that no applications, services, or plugins hosted on the system violate any applications that the information security team has banned due to their security risk profile (ex: WordPress, Joomla, Coldfusion, etc.).

Deploying Relevant SIEM Correlation Use Cases

Vulnerability scan data is often ingested to the SIEM and can provide value for this particular situation. For example, if change approval hooks in security operations to input the systems that have been approved to be open to the outside, then you can input this information into your SIEM and make a list of “systems open to the outside,” Borra said.

With this list, you can correlate the system against incoming vulnerability scan data. If incoming scan data matches this system up with having a new critical, serious, or high priority vulnerability, you can forward the case to security operations to assess blocking access to the system externally until the vulnerability is remediated.

Small to medium sized enterprises may have difficulties doing the previously mentioned correlation use case because they often don’t have a structured list of systems or applications exposed externally through the firewall. They may also have not deployed any type of externally facing firewall change policy and do not have a simple straight forward answer as to if anything currently being accessed from the outside has a critical vulnerability.

If you ingest vulnerability data into your SIEM and have threat intelligence feeds around blacklisted IP addresses, you can build a use case that is somewhat effective at discovering interesting services that have vulnerabilities that are accessible externally.

First, setup a correlation rule to model systems that have services that have critical, serious, or high priority vulnerabilities (ex: webserver01 has critical web vulnerability).

Next, build correlation rules that correlate those systems and services with the firewall to allow blacklisted IP addresses (ex: blacklisted IP was permitted through the firewall accessing websever01 over http).

What you get are firewall rules that are allowing blacklisted IP addresses to access a service with a critical vulnerability.

This is a useful initial correlation use case when assessing what is critical and open to the internet.

What Companies Need to Know

The SEC hack is just another warning to companies, particularly those in the finance sector, that they must ensure that their security environments are properly secured and compliant and that they have strategic plans in place in how to respond if a potential breach does occur.

They are going to be a constant target to hackers because of their confidential and sensitive information that they possess, which unfortunately if hackers do get their hands on can make financial gain.

“This breach highlights the need for high-profile agencies and organizations like the SEC to put in place a more practical process or system to monitor critical assets not only at the perimeter but on the systems themselves to monitor for (IOCs) Indicators of Compromise,” said Dana Hawkins, Director of Security Services at Proficio. “Monitoring is only a part of the solution, you must also put in place trained SOC/NOC personnel capable of quickly identifying problems and an Incident Response Team that has the authority to act when a compromise is found.”

Government bodies like the SEC are particularly vulnerable to fast-moving cyber threats, according to Hawkins, who previously worked as an IT security contractor for the federal government.

“It’s time for government agencies around the country to come out of the dark ages and understand the changing cyber threat landscape,” Hawkins said. “Response to threats needs to be more agile and effective or breaches like this will be a common occurrence.”

Proficio Weighs in on the Equifax Breach

Equifax, a leading credit reporting agency, said today it had been breached by cyber criminals, exposing the names, social security numbers and other sensitive data of as many as 143 million United States consumers. Officials said the reported cybersecurity breach could be one of the largest in U.S. history.

Hackers reportedly exploited a website application vulnerability to gain access to certain Equifax consumer files sometime between May and July 2017. Details of the manner in which the cyber criminals accessed the Equifax system were not immediately revealed.

Equifax officials said they were working to determine the cause and manner of the massive breach, which also affected certain UK and Canadian residents. The company set up a website for consumers to check if their information was involved in the breach as well as a dedicated call center to handle consumer questions at 866-447-7559.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer, Richard F. Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”

Proficio Reacts to Equifax Breach

John Humphreys, Proficio Senior VP of Business Development and Alliances, said the Equifax breach demonstrates the vulnerabilities of web applications, which often are not properly secured by developers or scanned for weaknesses by IT officials.

“The recent Equifax Breach is doubly unfortunate,” Humphreys said. “On one count, vulnerabilities to web applications have been well understood for many years. One would hope that software developers are following publicized guidelines to produce secure code and their counterparts in IT security are using commercial tools to scan for vulnerabilities. Second, there will be significant impact on a huge number of consumers. The type of data stolen will be very valuable for cybercriminals planning to commit identity theft or bank fraud.”

Today’s massive Equifax breach should serve as a warning to all companies and organizations about the importance of maintaining solid cybersecurity. As a result of lax monitoring of its security, Equifax is now suffering a public relations nightmare, damage to its brand and a financial disaster that could take years to clean up.

Proficio’s Director of Cyber Defense, Steve Groom, weighed in on the Equifax breach by sharing that threat actors around the world are highly motivated to steal personal identities and financial information because it yields the highest return on the black market, making headlines like this attack, which seem like a daily occurrence.

“To combat these types of attacks organizations need to evolve the maturity of their security program at a much faster pace and leverage service providers where necessary to provide an in-depth defense strategy in areas that are still under development,” stated Groom.  “There is no question that Equifax has spent a lot of money, time and resources trying to secure their customers data, which should make everyone pause and ask the question: Have we done enough?  Security programs need to be tested in the exact same way that they are tested in real life. Hackers don’t have a scope of work to follow and they certainly don’t have to play by your rules. Performing an annual security red team assessment with a qualified group of ethical hackers that closely mimics a real-world attack is critical these days when getting a full understanding of how strong your security program truly is. Monitoring your network 24×7, with eyes on glass will help you detect threats in real-time, and may provide you with a fighting chance.”

Companies must plan for the inevitable breach through building an incident response plan and testing it regularly so they can respond swiftly and effectively if a possible breach does occur.  This attack preparedness could be the difference between you or someone else’s company being in the headlines next time.

To learn more about Proficio’s cybersecurity services that can help protect your company or organization from these types of attacks visit Proficio.com.

Online Security Best Practices and Tips

In light of the massive data breach at Equifax, Proficio’s security operations center experts put together a list of best practices and tips consumers should always follow to help protect their online information.

  1. Reset or Change Passwords. Especially if the password contains any personally identifiable information such as a name, date of birth or address. A key element of ensuring secure online accounts are safe is keeping track of your “password reset” questions. While you may have a robust password system and password manager, many time we see that users will reuse answers to password reset questions on multiple sites. As a significant amount of PII was stolen from Equifax, we recommend updating your password reset questions as well.
  2. Enable Multi-Factor Authentication. When possible, use Multi-Factor Authentication to ensure that your accounts are protected by more than just a password.
  3. Increase Awareness. Consider signing up for additional monitoring from banking providers and ID Theft protection services and take inventory of any additional services or accounts tied to personal or financial data.
  4. Be Cautious. Be careful what information is provided to others; especially when choosing an ID Theft monitoring service. Do proper research when signing up for any additional monitoring or providing sensitive information and be sure to read the Terms & Conditions. Be wary of emails, texts, and phone calls from individuals claiming to be from any of your service providers. This includes banks, Experian, and any other institution. Malicious actors will utilize fear and other phishing tactics to solicit additional sensitive information from a victim.

The Scary Truth About CyberSecurity

With just two months left in 2015, it is shocking to find that this year may be one of the scariest years as far as data breaches go. Recent reports show data breaches to be increasingly common. And as these threats become bigger and more harmful, the future looks spooky.

The overall costs for cyber crime continues to increase, on average costing companies a ghastly $7.7M; the United States has seen the most terrifying damage from cyber crimes, with the average cost from 2015 being over $15M. While security measures are improving, hackers are continuously finding new frightening ways to get a company’s valuable information.

Ponemon states in their 2015 Cost of Cyber Crime Study that “all industries fall victim to cybercrime”, again reminding us that no industry or business, big or small, is safe from the horror of cyber crime. However, those who invest in more advanced security resources see significantly less damage from hackers. Companies with security intelligence systems (like a SIEM) save almost $2M and see an ROI of 23%, serving as a prominent reminder that there is no trick – investing up front in high quality security measures will treat you better in the long run.

While hackers will always be on the prowl, don’t let your organization be fooled. See how adding SIEM-as-a-Service can help your company maintain a secure network.

Anthem Inc. Data Breach – Healthcare Increasingly Target of Hackers

On January 27th, Anthem discovered that the login information for database administrators had been compromised. The investigation is ongoing, but the data breach could affect up to 80 million Anthem customers.

Information stolen includes member names, member health ID numbers/Social Security numbers, dates of birth, addresses, telephone numbers, email addresses and employment information, plus some income data. The attack also affected Anthem’s subsidiary companies such as Amerigroup, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.

This attack may be the largest cyber attack in the healthcare industry. Last year’s intrusion at Community Health Systems (CHS) involved the records of 4.5 million consumers. According to statistics maintained by the federal government’s Office for Civil Rights at the Department of Human Services, there have been 740 major healthcare breaches over the last five years.

Why are Hackers Increasingly Targeting Healthcare?

Explanations for the increase in the size and magnitude of cyber attacks in the healthcare industry include the following:

1. Medical records are more valuable to cyber criminals. Experts say medical records are 10X more valuable then credit cards because they can be used for medical fraud, identity theft and false tax return filings.

2. Healthcare organizations lack the resources and systems to defend their data from attackers. Compared to financial services and energy companies, healthcare organizations are considered soft targets.

3. Chinese state sponsored cyber terrorists may behind recent security breaches. The goal of these groups is broader than financial benefit and may include stealing medical research or using the data for espionage.

Anatomy of Targeted Attacks

Hackers have hundreds of ways to create and execute data-stealing attacks. Advanced Persistent Threats are commonly classified in multiple stages or kill chains. These usually start with planning and reconnaissance include techniques like spear phishing, credential dumping, and the use of remote administration tools to move laterally through the network, and and end with data exfiltration.

Questions to Test Your Readiness to Respond to a Targeted Attack

1. Are you monitoring critical and suspicious security events on a 24×7 basis?

It may be obvious, but US business hours are the least likely time zone for Chinese hackers to work. Many organizations have invested in
advanced security products such as database firewalls or next-generation malware detection software, but unless the alerts from
these systems are monitored, correlated, investigated and quickly remediated, the risk of a data breach is much higher.

2. Have you developed advanced SIEM Use Cases to identify hacking approaches like credential dumping and lateral propagation?

If your SIEM system or service provider relies on base content and rules are not being constantly updated, the chance of identifying a targeted attack is low.

3. Are you using advanced cross-device correlation and pattern discovery techniques in conjunction with threat intelligence data to identify suspicious behavior?

Accurate prioritization of alerts helps identify real threats and minimizes time wasted chasing false positives.

4. Do high priority security alerts trigger automated responses like blocking traffic to or from an IP address?

24×7 active defense can block known abusive attackers and off-load operations teams to focus on critical issues.

5. Are you retaining your security logs for 12 months?

Effective forensic analysis often requires more than 90 days of log data.

Proficio provides advanced cloud-based cyber security services and data breach prevention solutions to many healthcare organizations.

Takeaways from the Penn State Security Breach

An official at Penn State stated, “In fact, on an average day last year, Penn State alone repelled more than 22 million overtly hostile cyber attacks from around the world”. This is an interesting number. However, we would surmise that they are actually counting the number of Internet drive-by attacks based source IP addresses being blocked using a firewall, VPN, and IPS rules.

What is more important are the number of known abusive attackers that are hitting their perimeter, how many of these attacks are permitted through their firewalls, and how many of those are targeted attacks or return communications to already compromised devices.

In our Security Operations Centers we find that organizations similar in size to a single College at Penn State need to monitor over 250 million security events per day. From these millions of events a day, the security team must detect 3 to 5 incidents that indicate a compromise and should be blocked in the ‘kill chain’ within minutes to prevent the attack from resulting in a breach or malicious event.

Putting this into more perspective, we find on average an organization of this size will be attacked by known abusive attackers more than 10,000 times per day and roughly 3-5% of these communications are permitted through their firewalls. Most organizations can’t or don’t block this traffic because they have to keep certain ports open for normal business communications or they do not enforce strong perimeter security policies. Of the 3-5% of permitted communications from known abusive attackers that we track for our clients, we discover on average 2 to 3 targeted attacks per day performing reconnaissance or staging and 2-3 correlated events per week indicating some level of compromise.

Even with the best SIEM 2.X generation technologies with finely tuned advanced correlation and behavior algorithms in place, an organization will only reduce the 250 million security events per day down to 100 suspicious threats per day. They will need to investigate further to find the 3-5 events that require immediate action on a daily basis.

This is a two-part challenge. First, recruiting and retaining trained security analysts to monitor and investigate 100 suspicious threats per day is very difficult. Then there is the challenge of how to immediately break the communication with the abusive attacker, quarantine the device, or disable the user account while you wait for your remediation response team or contracted forensic investigators to roll?

In our view, most organizations just don’t have the capital, desire, or ability to staff and manage a 20 (or more) person Security Operations Center to perform advanced SIEM management, 24×7 security event monitoring, or incident investigations. The answer to this equation today is to partner with a SOC-as-a-Service company that also offers a SIEM-as-a-Service. These companies provide the world-class SOC services needed by all sizes of organizations to counter the large number of world-class threat actors.

We would also recommend selecting a provider that is more than a traditional MSSP providing general firewall management. Look for next-generation SOC-as-a-Service providers that offer advanced use case correlation tuned to your business context and automated active breach prevention to stop communication with abusive attackers, quarantine devices, or disable a user accounts. These providers also provide visibility into your security posture, knowledge of who is attacking you and what they are targeting, as well as active defenses allowing you time to take action to protect your data.

Good hunting!

Lessons learned from the security breach of Target Stores

Now that the dust has cleared from the cyber attack on Target stores last year, it is time to reflect on what happened and ensure your organization is not susceptible to a similar breakdown in security.

All the facts surrounding this attack have not been disclosed or verified, but it seems likely that two types of malware infected Target’s network. One type of malware was installed on POS terminals to steal payment card data and the second type of malware was used to exfiltrate data outside the breached network.

While analyzing the kill chain of this attack is useful, an important fact to consider is that Target’s malware detection software alerted their SOC to the infection, but apparently their security team did not respond to the alerts.

Target is a large organization with significant resources. This underscores the fact that successful security operations must rely on people, process and technology. Any one of these alone is insufficient.

The lessons to be learned from the Target breach extend beyond retail to any organization with valuable data. We recommend the following:

  • Point security products are important but they must be monitored 24×7
  • Security teams should leverage to case management tools and track response to incidents
  • Organizations must have the resources and skills to prioritize and investigate suspicious behavior
  • Advanced correlation techniques are necessary to pinpoint complex multi-stage attacks
  • Business context modeling and use cases should be used to highlight attacks on vulnerable assets
  • Threat Intelligence data that identifies malicious IP sources and destinations plays an important role in identifying malware
  • Predictive analytics and automated defense techniques are important tools to prevent attacks that could otherwise lead to data breaches
  • Log retention and access to security logs is required for forensic analysis if a breach should occur

In conclusion, the lesson from the Target breach is security monitoring is not simple.

Recent Court Case Further Defines Organizations’ Responsibility for Cyber Breaches

It may seem unjust to be held liable by the government when a breach was actually due to actions of a criminal. However, this is not the view of the 3rd Circuit. The August 24th, 2015 opinion by the 3rd Circuit Court of appeals in FTC v. Wyndham Worldwide Corp, et al (0:14-cv-03514) reinforces the government’s ability to enforce cybersecurity controls, without defining them.

Cybersecurity standards, such as the PCI-DSS, are helpful as they provide requirements organizations must meet. Meet the requirements and your Qualified Security Assessor will certify your organization as PCI Compliant. However, there are no specific requirements to become legally compliant. While HIPAA provides standards, its risk assessment requirement (45 CFR 164.308(a)(1)(ii)(A) and (B)) provides an open door, if you fail to identify and/or manage risks, you could be liable under HIPAA.

So how does an organization manage this legal exposure? The 3rd Circuit has provided some guidance:

  • Look at cybersecurity publications by government regulatory and standards groups, like the Federal Trade Commission, the U.S. Department of Health and Human Services and the National Institute of Standards and Technology.
  • Review enforcement actions by the regulatory agencies (e.g., FTC, HHS, OCR), including reviewing some FTC standards and HIPAA examples.
  • Ensure your published privacy statements match your actual security practices.
  • If you have had a breach, learn from it and correct the cause of the breach. While not an indication by the court, you should also look at the breaches of others, especially those made highly public.

At the heart of the FTC’s ability to regulate cybersecurity is fairness. While a somewhat broad concept, in this context, there is legislative guidance provided by 15 U.S.C. 45(n). The FTC cannot declare an activity unfair unless:

“The act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

The 3rd Circuit interprets this as a cost-benefit analysis, to be compliant with 45(n), organizations need to weigh the:

“Probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.”

Based on this guidance, every organization that holds customer data should perform a cost benefit analysis of its cybersecurity controls. Weigh the costs of a breach against the cost of implementing security measures. Look at the type of data you store. Is it cardholder data? Social security numbers? Patient health information? What costs would your customers incur if this information was released to criminals? Use recent examples, such as the $10.6 million from the Wyndham breaches, to help determine a number. Then look at what you are spending on your cybersecurity controls. If the gap between those two numbers cannot be reconciled, you may not be fair to your customers. This should be a formal, documented process, so you are able to provide clear evidence of your organization’s compliance with 45(n) when the FTC investigates your organization.

One of the most poignant quotes from the opinion, that highlights the current uncertainty in cybersecurity regulation, is the 3rd Circuit’s reference to Cf. Nash v. United States, 229 US 373, 377 (1913):

The law is full of Instances where a man’s fate depends on his estimating rightly…”

Is your organization estimating its cybersecurity rightly? If you’re unsure or looking for assistance, Proficio can help you. With advanced SIEM technology, certified cybersecurity professionals, and ProSOC remediation services, we can help guide your organization through this uncertain regulatory environment.


*Disclaimer: The above content is for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. 

TARGET: SingHealth Patient Data Breach

Singapore authorities reported on a cyber-attack affecting SingHealth, the largest group of healthcare institutions in Singapore. This cyber-attack is the largest known cyber-attack targeting organizations based in Singapore that has been reported by Singapore news media. The cyber-attack appears to have resulted in a data breach affecting around 1.5 million patients who visited SingHealth between May 1, 2015 to July 4, 2018. The data breach included personally identifiable information such as names, NRIC, address, gender and race. Around 160,000 of these patients also had their outpatient prescriptions stolen. The Prime Minister of Singapore’s personal information was targeted as part of the attack.

The attack was first identified by database administrators from the Integrated Health Information System (IHIS) on July 4, 2018, when they identified anomalous activity on one of SingHealth’s IT databases. By July 10th, investigators confirmed it was a cyber-attack, with data stolen between June 27 and July 4.

Although attribution to the exact party that performed the attack is speculative with the data that is publicly available, a statement by the Singapore Health Ministry stated that “It [the attack] was not the work of casual hackers or criminal gangs.” We expect to be able to understand more about the attackers once more technical data is available.

Proficio Threat Intelligence Recommendations:

  • Ensure that any sensitive data is encrypted, and limit access of employees and other stakeholders by their roles using the principle of least privilege. Passwords that are stored should be encrypted, and strong password policies should be enforced.
  • Review the organization’s data retention policies on the duration and the types of PII data that should be stored. To further limit data exposure, companies are advised to purge customer’s PII if it is unneeded for business purposes and not required anymore to be retained by law.