Why Companies Must Adopt the ‘Assume Mentality’ When It Comes to Breaches

By Christopher Hines, Product Marketing Manager, Bitglass

Assume_MentalityRecently Target announced that the credit card data breach that they suffered back in 2013 ended up costing them $162M. Now, I know some may argue that to a company like Target, that number is a drop in the bucket, and you’re right. But there is a lesson to be learned from this. Companies must realize that no security infrastructure is 100% fool proof, not the multi-billion dollar corporations, not the mom and pop shops in your local neighborhood, not the start-ups in Silicon Valley. But why?

This is the question that millions of people (maybe even yourself) are trying to wrap their heads around. Yes, your company has a dedicated security team, and has invested in security infrastructure, using technologies like SIEM solutions and products that provide “visibility.” Yet your SSN and employee information still ends up in the hands of cyber criminals!

If there is only one thing that you take away from this blog, understand this. Having security in place doesn’t mean you are somehow bulletproof and exempt from breaches. There’s no hacker guide that says “Leave X company alone. They’ve got cool security.” The increased number of cloud applications like Box, Office 365 and Salesforce, coupled with the rise in BYOD at work has allowed more data to flow outside the corporate firewall. Data is now EVERYWHERE, not just your company’s corporate network. Your IT security team must first realize this, accept it and then solve for it. Not the easiest thing to do.

Hackers Use The Goat Paths
When King Leonidas and the 300 Spartans took on the Persian army at the Hot Gates, they believed that they could hold their ground due to the mountain’s impenetrable walls. What they failed to consider was that an old goat path that Greek shepherds often used to cut through the mountains could also be found and used by the Persian army. The Persians found the goat path and were able to surround the 300 Spartans, and defeat them. Why the random story?

Since companies want to benefit from the cloud’s flexibility and the productivity of BYOD, they have to also build ways of allowing their employees to reach their corporate data (goat paths). This simultanously gives hackers a bigger attack surface to work with. In the past they relied mostly on malware since data was kept inside corporate networks. Now, since data has moved outside, they can also use techniques like Phishing attacks to steal employee credentials, and then use them to access company data. Since employees often have more access to sensitive data than they actually need, companies end up placing their data at risk.

This means that the same goat paths that company employees use to access sensitive company data can now also be used by hackers.  All they need is employee credentials.

Security teams must keep these goat paths in mind.

Adopt the “Assume Mentality”
Companies must now assume that a breach is on its way and that’s its only a matter of time until they experience one. Instead of denying its possibility make sure you prepare your IT security teammates, as well as your employees, for the inevitable.

Start building a security infrastructure designed with the goal of limiting the damage of a breach once it occurs instead of getting your hopes up on preventing them altogether.

Breaches are not preventable. But they are discoverable. Learn about Breach Discovery, a new solution that will help you limit the damage of breaches.

The Dark Side of the Web: 14 Essential Cloud Usage Facts Every CISO Should Know

By Kamal Shah, Vice President, Products and Marketing, SkyHigh Networks

Between frequent headlines on data breaches and the growth of Shadow IT, it is easy to be captivated with what people are saying, blogging, and tweeting about the state of cloud adoption and security. But the fact is – it’s hard to separate the hype from the truth, and stories about security are often rich in speculation or exaggeration.

The sixth installment of our quarterly Cloud Adoption and Risk (CAR) Report presents a hard data-based analysis of enterprise cloud usage. With cloud usage data from over 15 million enterprise employees and 350 enterprises spanning all major verticals, this report is the industry’s most comprehensive and authoritative source of information on how employees are using cloud services.  And, with a full year of usage statistics, this latest edition of the report is the industry’s most comprehensive to date.

You can download the full report here. In addition to popular recurring features such as the Top 20 Enterprise Cloud Services and the Ten Fastest-Growing Applications, the latest report contains several eye-opening findings. View the slideshow below for more highlights from the report.

The Average Number of Cloud Services in Use Increased 43%

The average company had 897 cloud services in use in Q4, up from 626 in Q4 last year. This growth was lopsided across categories. Development services (e.g. GitHub, SourceForce, etc.) experienced the largest rate of growth at 97%. The second fastest-growing category is collaboration (e.g. Microsoft Office 365, Gmail, etc.), which grew 53% despite already having a high number of services in use.

The Number of CSPs with Enterprise Security Capabilities Doubled

The number of cloud service providers investing in key security capabilities more than doubled in 2014. Specifically, 1,082 (11% of all services) now encrypt data at rest versus 470 in Q4 2013, 1,459 (17%) offer multi-factor authentication versus 705 in Q4 2013, and 533 (5%) hold ISO 27001 certification versus 188 in Q4 2013. At the same time, over 89% of the cloud services lack basic security capabilities required by enterprises.

Over One Third of Employees Upload Sensitive Data to File Sharing Services

37% of employees upload sensitive data to file sharing services, and 22% of all files uploaded to file sharing services contained sensitive data. Beyond file sharing, 4% of fields in other critical business applications such as CRM contain sensitive personally identifiable information (PII) or personal health information (PHI) data subject to regulatory compliance.

One Tenth of Corporate File Sharing Is External

Analyzing the use of file sharing and collaboration services revealed that 11% of documents were shared with business partners outside the company. Of externally shared documents, 9% contained sensitive data. Even more concerning was the fact that 18% of external collaboration requests went to third party email addresses (e.g. Gmail, Hotmail, and Yahoo! Mail).

92% of Companies Have Compromised Credentials

The vast majority of companies have users with at least one stolen credential, and the average company had 12% of users affected. The most exposed industries are Real Estate, High Tech, and Utilities, while the least exposed are Government and Healthcare. With 31% of passwords reused across websites and applications, stolen login credentials pose significant risk to corporate data.

Anthem’s Breach and the Ubiquity of Compromised Credentials

By Sekhar Sarukkai, Co-Founder and VP of Engineering, Skyhigh Networks

Blue-Stethoscope[1]The year is still young, and we’ve already witnessed a breach of potentially historic proportions. Anthem Inc, the nation’s second largest health insurer, released a statement last week announcing the breach of a database with 80 million customer records. Anthem estimated the number of stolen accounts at “tens of millions,” which would be the largest healthcare breach to date. For comparison, hacks at Target and Home Depot exposed 70 million and 56 million records, respectively. In this case, the records contain sensitive customer data including names, birthdays, addresses, and social security numbers. Fortunately the company reported no medical or financial information was stolen.

Let’s run through the mechanics of the attack based on available information. The source of the breach was a compromised login credential. The attackers initially ran a database query using a system administrator’s credentials. They then uploaded the hacked data to a cloud storage service. Anthem declined to name the service but did mention it is commonly used in US companies. This last fact may have made the exfiltration more difficult to detect. The average company uses 37 different file sharing services, which include a mix of enterprise ready services such as Box and high-risk services such as 4shared.

Anthem Only the Tip of the Iceberg

The circumstance through which hackers gained entrance into Anthem’s system is not rare; in fact it is the norm. User login credentials are sold on the Darknet by professional cybercriminals. Skyhigh’s analysis of cloud usage data of over 15 million enterprise employees across 350 enterprises indicates that 92% of companies have users with compromised credentials. On average, 12% of users are affected. In other words, over one in ten enterprise users have their credentials for sale on the Darknet. With 31% of passwords reused according to a study by Joseph Bonneau, stolen login credentials pose a huge liability for enterprise security.

Avoiding “The Big One”

To start, companies should enforce two-factor authentication to reduce the likelihood that a stolen credential alone is sufficient to gain access to a mission-critical system. Security should also put in place role-based access control for corporate systems so that no single credential has unfettered access to all data. With the prevalence of stolen credentials available to attackers, these are critical steps in preventing a breach of this scale.

There are two parts to this story, however. Security teams would be wise to guard the way out as well as the way in. In this case and in an increasingly high number of instances, attackers used a cloud service to exfiltrate data. The cloud is a easy path  for removing data from the corporate environment because many organizations lack visibility into the flow of traffic to cloud services. This points to the need for security intelligence systems that provide visibility into cloud usage and identify anomalous behavior. With this technology in place, alerts for anomalous behavior can not only identify external threats, but they can also protect against insider threats.

As in the vast majority of cases, no single misstep or shortcoming led to this breach. There are clear steps companies can take to lower the likelihood of suffering from a similar attack and to minimize the damage in the event hackers do gain access to corporate systems. Anthem’s breach should serve as a wakeup call to all enterprises.

What The Anthem Breach Means For Healthcare Security

By Christopher Hines, Product Marketing Manager, Bitglass

Anthem_pic“Healthcare orgs oh how we love you so, with your data so un secured no wonder we give it a go. SSNs, birthdays and addresses information galore, we can’t wait until next year when we steal some more.”

This is the song that healthcare data thieves must be singing every time they gain entry into the database of healthcare organizations across the globe. This week we learned of the giant Anthem breach that may have affected over 80 million customers and what may be the largest healthcare breach in history. For those of you who aren’t familiar with Anthem, they are the second largest insurance provider in the USA. Ironic how an insurer tasked with protecting their customer’s health and wellness couldn’t secure their data. The information stolen? SSNs, employee names, birthdays, addresses, email addresses and employment information.

The breach was discovered on Jan 27th and began on Dec 10th. The breach was the result of cyber criminals gaining access (no one is sure as to how exactly but guessing lost mobile devices or phishing attack) to an un-encrypted database that allowed them to then exfiltrate data. Now, to give Anthem some credit, 6 weeks actually isn’t too terrible given the fact that the average breach today lasts for about 229 days! But the failure to encrypt sensitive data stored at rest in their database is certainly an epic fail. By now, encryption or at least solid plans to begin encrypting should be a best practice for any company holding sensitive data.

“You essentially have the keys to the kingdom to commit any type of identity theft.” 
– Paul Stephens, director of policy and advocacy at Private Rights Clearinghouse, San Diego, CA 

Although no medical information and credit card data was stolen, the information obtained is still more than enough for cyber criminals to cash in on (think about all of the use cases for SSNs alone). Employer information was also stolen so who knows what the residual effects will be for the employers as well. They themselves may find themselves at risk of hackers using employee credentials to gain access to protected databases. And just so you know, this wasn’t the first time that Anthem has caught some heat. Back in 2013 they were asked to pay a fine of $1.7 million bucks to resolve the exposure of PHI data from over 614,000 people online due to weak security.

5 Tips for Improving Healthcare Security From Bitglass

It’s quite simple actually. Healthcare organizations must first see security as an urgent matter and realize that customer trust is not a given, but is a privilege. Unfortunately breaches like Anthem serve as a reminder of the lack of data security in healthcare organizations. In addition to database encryption, here are 5 tips we have devised for securing data within healthcare institutions:

  1. Establish comprehensive IT visibility and control over all data transactions
  2. Control the flow of all information
  3. Track and protect sensitive data anywhere it travels to
  4. Deploy a Single Sign-On solution for increased password security
  5. Make sure the security solution is easy to deploy and easy to use

We hope the victims of the Anthem breach are unaffected and hope that healthcare organizations take action before it’s too late for them.

To learn more about securing healthcare data, visit our healthcare security page.