by Daniel Mountstephen
First of two parts
IDENTITIES are an organization’s most significant vulnerability. Trust no one, verify everyone.
Remember Kevin McCallister, the kid from the movie Home Alone?
After waking up to find that his family had left him behind, he saw two burglars trying to break into his home. Despite his commendable efforts to secure his house from these intruders, there came a point where he had to face the facts – they’re going to get in.
That’s when he really pulled out all the stops – scattering Christmas ornaments on the floor and tarring the basement stairs. Essentially, doing all he could to keep what’s valued safe.
Now, think about this in terms of your own organization’s network: How well protected is it? Are perimeter protections really enough? How sure are you that there are no unauthorized users already in the network?
Organizations today should take the same mindset – to trust no one, assume the intruders are already in the network, and create a series of challenges to limit movements and keep them from the most critical systems and data.
Just like the burglars’ will to break into Kevin’s house, intruders’ knowledge of mobility, cloud, IoT and social media gives them the confidence to access an organization’s network. With each new attack surface comes the opportunity to leverage trusted identities without proper access controls.
Despite spending billions on cybersecurity and risk management, organizations are losing the fight to protect sensitive information. Employees, partners, contractors and customers can connect anytime, anywhere from any device to any resource. These freedoms make their identities prime targets for criminal hackers, who waste no time using this information to raid accounts and data.
Identity is the primary attack vector. In January 2019, Cebuana Lhuillier, an international remittance, pawning, microinsurance and micro-loaning company based in the Philippines, reported a data breach involving their email server used for marketing. The said breach exposed the personal information of about 900,000 people.
The severity of the breach, however, goes beyond the huge volume of compromised information. While the company reported external attempts to use one of its servers on January 15, unauthorized downloads from its servers went as far back as August of 2018, five months before malicious activities were detected. The period of access abuse posed greater risks to the company and its customers.
Just this July, Sephora also fell victim to data breach, compromising 3.2 million records of customers from the Philippines, Singapore, Malaysia, Indonesia, Thailand, Hong Kong, Australia and New Zealand. What was most alarming was the fact that no major vulnerability was found on Sephora’s website and no cyberattack could actually be traced.
This is indicative of how our threatscapes have evolved from traditional “hack-ins”. The modus op ches. To be continued. (Author is Regional Vice President, Centrify Asia Pacific & Japan)