The last 2 months have been a busy time for hackers; Facebook had some 50 millions accounts hacked and looks to be facing a $1.63 billion fine in the EU as a result. Then there was the earlier hack of Huazhu Hotels Group effecting over 130 million people. It appears hackers have never had it so good.
In total some 230 million records of personal information have been stolen out of computer systems in the past 8 weeks, involving 15 different organisations or businesses in various countries (US, AU, UK, SG, CA and China). Or look at this another way just over 47 records of PII per second for 8 weeks!
When one looks at what has been reported the two main vectors for how the data got breached either involve some insecure backup system (Perth Mint and Huazhu Hotels Group) or some API/interface weaknesses (Facebook, Air Canada & T-Mobile) – the common ‘mode’ here being the usage of a third party either directly or indirectly as part of the service offering. This is very similar to what also occurred with BA (JavaScript injection via a third-party hosted script to steal credit cards).
It’s also interesting that databases figured directly in attacks that stolen over 170 million records worth (Chegg, Perth Mint, Huazhu Hotels Group & Sitter), where hackers got direct access to the databases (or a dump of the database) and made off with a complete copy. Malware was also a major vector; involved with over some 7.9 million records being stolen (Shein, SingaHealth and Maine Community College).
To me, there are a few takeaways from this:
- Over-dependence on third parties for mission-critical data security is a false economy – as any good security person knows, complexity is the enemy of security and putting your data onto another service, no matter how good they claim their security is, is just one more degree of complexity to deal with. So, in order to minimise this added complexity, you need adopt techniques like encryption at rest at the database level (so access to the database is not enough to make use of what is in it, as key fields are themselves encrypted). Sensitive data should never be stored ‘in the plain’, so it can be read straight off a disk.
- Endpoint security and exactly what is used to access sensitive data needs careful consideration – should people be reading their emails on the same machine they use to log into sensitive data systems? Don’t try to solve this problem by layering on more fancy monitoring, you will just know sooner that all your data has been stolen, specific restriction and segmentation is the way to go – break the ability of hackers to move laterally to access data. If employees still need to read email, give them a restricted laptop or Chromebook that cannot access the sensitive systems.
- Layered security controls are key – in any system, there should never be just one thing stopping a bad actor doing something. Controls need to overlap in scope and the tests they perform. This way a mistake or weaknesses at one layer is covered by at least one layer below it. Especially in this day and age with rapid or agile software development, what was an idea in the morning could be in production in the afternoon – such a rate of change works against effective security, so you have to compensate with layered security, so the rate of change ‘on top’ does not perturb the security ‘below’.
All these techniques and many more are covered in my new book ‘Personal Information Security and Software Architecture‘, which is security handbook for software engineers, architects and managers on how to effectively secure sensitive data in computer systems and comply with the new wave of privacy regulations at the same time. Based on over 15 years of experience securing online computer systems that dealt with many types of sensitive data.