More dispatches from the front for this week’s post. Cloudflare, a premier cloud hosting and security provider was compromised back in September 2016. Several lines of faulty code in an HTML parser allowed user session data (cookies, credentials, keys, tokens, etc.) to be scattered about unrelated web sessions by the millions. This data was apparently spread in plain-text and is very difficult to remediate since the information was randomly dropped into unrelated sessions across a massive customer base. According to Cloudflare, the worst data leakage occurred between February 13 – 18th 2017.
I was approached by Snapmunk to provide commentary on this issue, which I did. However I have also have provided similar advice to clients more times than I care to count. We can point back to when the Heartbleed bug was identified back in 2014 but had been running rampant since 2012. Remediation of this issue isn’t the investment of a boatload of expensive tech solutions but can tackle this problem
Here a few of the tips I have provided:
1. What steps would you advise businesses affected by Cloudflare’s data leak take following the leak? How should they go about damage control?
They should immediately activate their breach incident response program. Then coordinate with Cloudflare on a daily basis to ensure they have the latest information on the scope and impact of the Cloudbleed breach. Depending on where the company is located they may have to contact state and local authorities that they have been impacted by the Cloudbleed.
The most proactive damage control would be to contact the users of your company’s services immediately. State what actions you are taking to address the breach and have a defined plan to follow up with those customers to keep them informed.
Internally these companies must review their security posture from top to bottom. Ensure that the CloudBleed incident did not compromise credentials that can access corporate assets and cause further security breaches in the future.
2. What can we learn from a breach like this?
We can assume that Cloudflare was using the latest security technologies with a focus on a “Defense-in-Depth” strategy. However one error in a line of code invalidated millions of dollars in expensive technology. The takeaway for both consumers and companies is no technology service is 100% percent secure. Companies will need to aggressively review software for vulnerabilities. This will sometimes mean very expensive software migrations from legacy applications. On the consumer side, customers have to realize that using the same password for multiple sites, especially sensitive ones, is a very bad idea.
3. How could companies have preemptively prepared for an error like this?
Responding to data breach response is a multifaceted operation. An organization will need a viable incident response plan and program in place to address the immediate issues. These issues would include stolen mobile devices, compromised endpoints, enterprise software and servers or blocking social engineering attempts.
In the event of a data breach, the Compliance, Security and Executive teams must have a course of action that starts at incident response all the way to reporting the issue state and federal authorities as well as their customers.
There are few “must have tools” for implementing the best IT security infrastructure. This includes appropriate firewall, endpoint protection and network monitoring suites. However there are some basic components to an effective security program that do not involve large technology expenditures.
One is to keep your infrastructure (servers, applications, workstations, networking gear) up to date (software patches, hardware refreshes), physical security around critical components, endpoint protection (anti-virus / anti-malware) and user training. Most security breaches gain a toe-hold due an error by the user or malicious user intent.
On the risk management process side, organizations should know what is riding on their network and accessing their applications. With appropriate asset, network, log and mobile device management controls this would be a relatively “easy” process. However certain industries, healthcare and government for example, lacks a certain IT maturity level that other industries take for granted (see Financial). Establishing proper asset management and data management processes and procedures should be a high priority for industries with sensitive information.
All of these basic tips contribute to a “Defense-in-Depth approach or layered to enterprise security.
Second, cybersecurity threats are constantly evolving and quite a few of today’s leading threat prevention technologies can miss zero-day and malware attacks frequently. In order to mitigate this risk, an organization needs to devote significant resources to monitoring the corporate environment for suspicious activity, such as ransomware encryption processes, application behavior, multiple invalid logins, rogue access points and phishing / whaling email activity.
4. What common mistakes do companies make when it comes to light that their users’ privacy has been compromised?
The biggest mistake companies make is to ignore or sweep under the rug the fact that they have a breach. Executives want to avoid bad press, costly fines, expensive credit monitoring and notification letters etc. Also, many times a company is simply not prepared to handle a breach response of any significance so avoidance of reporting becomes the de facto response.
Secondly, companies may respond to a breach but they do not take the lessons they learned during the event and apply it to future operations. This could mean expensive infrastructure changes, additional staffing or migration to a new software platform. If the cost of the breach was relatively low, there is little appetite for significant security expenditures.
5. What can users do following a data breach like Cloudflare’s to prevent identity theft?
Change your passwords. Especially to critical sites such as banking, investment, healthcare, social media. Anything with sensitive information.
Don’t’ use the same password for all your websites. I know this is tough but one password that controls all your online presence is far too risky.
Use stronger passwords, at least 12 characters with a mix of letters, number and special characters if possible. This won’t help if passwords aren’t encrypted on the vendor side but it adds a bit more security.
Use a password manager if you have a large online presence. KeePass, LastPass, 1Password, etc. all store you passwords in an encrypted format. The app then allows you to plug you passwords into your sites without laboriously typing them in. Of course these software tools also have vulnerabilities but this is a risk reduction exercise.
Finally, enable two-factor authentication where you can. Google, Apple, Microsoft, Amazon, Twitter etc. all support this option. It will send you an email stating someone is attempting to change your password or accessing from an unknown device and request a token sent to your phone as additional authentication.
Nothing earth-shattering right? Yet we know that companies will continue to not invest in software security, training and monitoring. Users will keep using the password “princess123”.
Let me know your thoughts in the comments below.