When not if: How to detect a data breach

When not if: How to detect a data breach

Australia experienced its largest data breach in history last week. More than half a million blood donors’ details were leaked by one of our country’s most critical services - The Red Cross. A third party contractor has received the brunt of the blame, with the Red Cross saying the file containing the names, addresses, phone, emails and medical details, including blood type of 550,000 donors, was left in an unsecure environment on a development site. It was discovered by a person scanning for security vulnerabilities who then, through an intermediary, informed the Australian Cyber Emergency Response Team (AusCERT) with whom the Blood Service has membership.

The Red Cross says, to their knowledge, all copies of the data leaked by pure human error have been removed and deleted. But there are no guarantees. They also made it abundantly clear that only online form enquiry data was leaked and nothing from their internal secure servers. It was also announced there was a low-risk of future misuse. An investigation by the Privacy Commissioner was launched and it’s unknown what repercussions are to come.

The most concerning part about detecting a security breach is the amount of time it takes to uncover. The Red Cross has not released details of how long the 1.74GB file was left on the unsecure development site. In 2014 data breaches went unnoticed for an average of 2051 days. That’s over 5 years. There are even reports of companies who didn’t know their data had been compromised until 7 years later. And they only made the discovery because a 3rd party (usually a government agency) informs them. The time it takes to make the discovery is called the breach detection gap. It comes as no surprise that breach detection gaps are becoming longer and longer as attacks become more sophisticated. The stance can no longer be if an attack happens, it needs to be when an attack happens.

The Problem: Breach detection gap

Data breaches can take months, even years to find and anyone can be affected. It’s not just small businesses who are vulnerable, it’s any organisation that’s ever been connected to the internet. In September 2016, Yahoo discovered up to 500 million of its user’s data had been compromised. The concerning part - the data was stolen in 2014. Yahoo allegedly only found out after a hacker was selling user accounts including names, passwords, emails, telephone number and other data in return for Bitcoins. How could data theft at this scale go under the radar for so long? Similarly, Stuxnet, a computer worm believed to have been built by the US and Israeli governments to shut down Iran’s nuclear facilities went undetected for close to 7 years. How?

The truth is, the attacker’s methods are similar to the age old story of the rabbit and the hare - slow and steady wins the race. The attackers compromise the system under the radar as much as possible. And these breaches are slow to be discovered because there isn’t usually any disruption caused to major services on the network. Most companies won’t find out they’ve been compromised until the data resurfaces elsewhere or if the hacker slips up.

While we’re not saying that the Red Cross’ leak was related to an attack of a hacker. But what we are saying is with the correct processes in place the leak could have been avoided. This article explores how companies can help to avoid leaks and cyber attacks.

Change the mindset

How companies look at a potential threat (attacks and human-error leaks) needs to change, according to security expert and CTO of RedSeal Networks, Dr. Mike Lloyd. He says companies need to stop thinking of defence as a large bank vault with a big door. Instead, they need to consider their company as a big city with many different entry and exit points and multiple areas that could contribute to a breach. He suggests that collecting Big Data and analysing the patterns increases the chance of detecting a breach. The issue that will still need to be resolved is setting up a system that can collect vast volumes of data and monitor it in a way that produces a result, or spots the attack before it’s too late.

In a comment to Darkreading, RSA Advanced Cyber Defence Practice Senior Director, Peter Tran said the location of monitoring technology matters. And so do the rules that are applied to monitoring. For instance, detection rules should be based on behaviours that suggest there’s likely to be harm to the system. This is opposed to current rules which only trigger on previously known actions to be associated with exploitation of a system.

When a company’s mindset changes toward dealing with a potential attack or leak, as opposed to attempting the impossible task of preventing them altogether, it can start to think about different ways to respond to data breaches. This leads us to the importance of monitoring technology location. Dr Lloyd says there are three key steps companies need to take to have the optimal chance of detecting a security breach.

Map your infrastructure

Mapping a company’s infrastructure has two key purposes. First, it will give the organisation a full scope of how big its “city” aka its network is. The deeper or more distributed the network is, the harder it is to detect cyber attacks including malware and specifically targeted advanced threats. Secondly, once a company has a map of its infrastructure, the security team can begin to workout where detection sensors should be placed.

Layout sensors for detection

Sensors should be placed in areas that are obvious weak spots but also sporadically throughout the network. This is to systematically monitor network activity and help to analyse if the status quo is disrupted. An example of an obvious weak spot could be a remote site of a distributed network. These are often the most vulnerable because deploying the main security system over a range of locations can be too costly. But if a company is serious about protecting its data these side doors must be monitored.

Analyse the data

Lastly, and not surprisingly, the collected data must be monitored and interpreted. The important part is how security experts understand the data extracted from packets on the network. Dr Lloyd suggests companies should design zones into the infrastructure and set it to boundaries. Zoning into separate areas helps analysts extract meaningful insights from the copious amounts of data in small sections at a time. This also means unusual activity can be spotted quicker - he says companies should be on the lookout for custom tunnels, unauthorised proxies, unauthorised remote desktop protocols and file transfer applications. Forensic Magazine also suggests security analysts keep an eye out for suspicious activity as well as granular proof - for example machines behaving differently or a user reporting opening a bad email. All must be investigated. Similar with network flow - are large amounts of data leaving the network from a particular machine? We know servers send a lot of data but typically workstations don’t. Analysts musts remain vigilant.

Preparing your team for an attack

The only way to prepare a security team for an attack is to test and run a mock breach. This helps a  team stay alert, teaches the team what’s expected of them, what to do and who to contact in the event of a breach. Approaching the problem like this also assists the company to spot critical skills gaps and gives you time to hire someone to fill the skills gap or train a staff member. This is much more of a proactive step to combat an attack, rather than a reactive approach.

In the event of a leak

If personal data is leaked or breached, it’s imperative companies do what they can to rectify the problem as soon as possible. Within hours of being notified about the donor information leak the Red Cross took complete responsibility - a very rare approach. They are also doing everything in their power to reduce the damage and potential exposure of the victims. Their efforts in the wake of the breach have actually been praised by IT security experts.

All companies are vulnerable to a data breach and the truth is it really is a matter of when, not if. There are precautions you can take to avoid cyberattacks or leaks caused by human error. To learn more, view the Cyber Security program for CeBIT Australia 2017 today!

CeBIT Australia CIO Summary Report