As part of this week’s IT Security Rewind, we have decided to take a deeper examination into recent massive data breaches to demonstrate how attackers continue to exploit administrative and privileged accounts to conduct their system-wide damage. We’ll also preview our soon to be released eBook, which covers similar ground through an even more historical examination and discussion of solutions to effectively manage, secure and mitigate the threats associated with privileged credentials.

Data Breaches Gone Wild

First, let’s take a look at some recent attacks that have forced IT insiders and stakeholders to reevaluate their proactive approaches to security and access control:

• Last December, the U.S. Chamber of Commerce confirmed that compromised administrator accounts led to an attack by Chinese hackers. The breach compromised the information of the Chamber’s 3 million members.
• In March of this year, a Global Payments breach exposed financial data belonging to 1.5 million uses of Visa and Mastercard. Analyst firm Gartner has claimed the attack resulted from a weak authentication mechanism that enabled access to an administrative account.
• Most recently, this month, attackers were able to exploit health records stored by the Utah Department of Technology Services by cracking a “weak” default administrative password. Once inside, the servers, and the data housed there, were compromised.

The Privileged Pathway

In all three of these well-publicized cases, hackers were able to bypass perimeter security controls to gain access to target systems through the same poorly protected and wide-open gateway: privileged and administrative accounts. In each case, once inside, attackers leveraged the privileged account to gain access to additional servers, databases and other high-value systems that only a select few people are actually granted permission to access.  The result, as demonstrated by the above, is easy access to millions of sensitive records.

Unfortunately these accounts have emerged as a primary target for hackers because infiltration is possible through rather simple means—an easy-to-crack password, spear-phishing or exploitable zero-day vulnerability.  In the Utah case, it was a weak password that was supposed to protect a very sensitive privileged access point on a server that caused the breach.

The Problem with Sharing

The problem that continues to persist is that privileged accounts are often shared with passwords that are rarely changed.  This remains the great paradox in the world of identity and access management and security in general—while attackers are targeting these incredibly sensitive access points, personal passwords to websites such as Facebook have even higher standards of security and strength.

These vulnerabilities are not limited to a specific industry – we see it across the spectrum.  In fact, this is very similar to the weaknesses and vulnerabilities at the Bonneville Power Administration highlighted by the Energy Department.  Auditors uncovered 11 servers configured with weak passwords – including one that hosted an administrative account with a default password.

While troubling, reports of this nature are commonplace and are a contributing reason as to why we continually see massive breaches of this nature in the headlines.

Cyber Attacks and Privilege: Stay Tuned for More

For Cyber-Ark, these trends and developments are startling but not novel. Next week, we’ll be releasing a new eBook—“Don’t Give Cyber Attackers the Privilege–focused specifically on the proliferation of cyber attacks targeting unmanaged privileged accounts. The report outlines a history of this abuse dating back to January 2010 through a compilation of privileged-related attacks. The eBook also outlines the steps required to control these access points through privileged identity management.

This week’s IT security news coverage was shaped largely by the fall-out associated with Nortel’s 10 year data breach, which has now been attributed by some as one of the primary factors impacting the company’s ultimate downfall,  some speculating that competitors were able to gain access to sensitive IP over the course of a decade.  Here are several stories we think offer the best perspectives on the breach.

• History of a Decade-Long Hack: According to the Wall St. Journal, using seven passwords stolen from top Nortel executives, hackers penetrated Nortel’s computers, repeatedly downloading technical papers, R&D reports, business plans, employee emails and other documents.  From our standpoint, this is another high-profile example of the need to better manage and control privileged access.  With relative ease, it appears the hackers were able to use the passwords to access the network, then, once inside, elevate privileges in order to access sensitive data and information.  From an industry standpoint, Nortel’s ‘inaction’ is inexcusable.
• Expect Defenses to Fail: So what can we learn from all this? Information Week published a piece that took a first crack at some answers, “8 Lessons From Nortel’s 10-Year Security Breach.”  Some quick take-a-ways?  Expect defenses to fail, conduct a thorough forensic analysis and expect greater accountability.
• An Empowering Cybersecurity Bill?: In other news, called “critical” in order to avoid our country suffering a “catastrophic attack,” a bipartisan group of senators introduced long-awaited cybersecurity legislation. According to CSO, this is a comprehensive bill that would encourage the sharing of information about threats and attacks between government and industry.  Specifically, the Cybersecurity Act of 2012 would give the Department of Homeland Security power to regulate the kind of company security protections government deems necessary to protect critical infrastructure — such as power and phone companies, water and treatment plants, wireless providers and other companies based on DHS risk assessments.

We’d like to hear your thoughts.  What lessons do you think we can learn from Nortel?  What are your hopes for outcomes from the Cybersecurity Act?

At Cyber-Ark we don’t typically like to brag about our achievements, but we have had such a great week that we can’t help but show off a bit. This year we have been shortlisted for not one, not two, not even three but FOUR SC Magazine Europe Awards! We are very excited and wanted to send our congratulations to all of the finalists that were also shortlisted in the Best IAM Solution, Best Remote Access, Best Security Management and Information Security Product of the Year Categories. While we’ve been celebrating we’ve also been paying close attention to some evolving stories in cyber legislation as well as an interesting twist on a phone hacking and wanted to put stories out there to get our readers’ opinions:

• Bloomberg Businessweek reported that the Cyber-Security bill has been delayed in reaching a vote on the Senate floor.  The Senate bill would authorize the Homeland Security Department to identify infrastructure that’s “considered critical to U.S. economic and national security” and develop standards that must be met to protect them. Understanding the security threat that cyber war poses on our nation and the number of sophisticated hackers out there, advisors are doing their best educate the Senate on the urgency behind this bill. Bruce McConnell, a counselor to Napolitano on cyber security matters stated, “What we were here today to do was make sure the Senate understands the severity and importance of the threats that we’re facing and the need for action.”

• Trying to hide your organization’s data breach? VeriSign proved this week that you can actually get away with it. After scouring 2,000 SEC filings Reuters reported this week that VeriSign was actually hit by hackers back in 2010 but did not report the breach until their SEC filing in October of 2011. How is this possible when the company states that “more than half (56%) of the world’s DNS hosts rely on the VeriSign .net and .com infrastructure”? Well, as long as credit card data isn’t involved organizations actually aren’t forced by the government to reveal a breach to the public.

• Finally, FOX News and other outlets reported that a phone call between the FBI and Scotland Yard was recorded and released online by the hackers in Anonymous. Luckily, the FBI said that there was no classified information on the call, but it was still accessed illegally. Anonymous tweeted that they were able to hack the phone call by compromising an investigator’s emails. If the call is authentic, it is quite jarring that the group was able to hack into the very call that discussed proceedings for past offenses.

We’d love to get your thoughts on these legislative issues as well as the phone hacking – do you think the Senate is taking the threat of cyber war seriously? Should VeriSign have been forced by law to reveal that they were breached? Is Anonymous a bigger threat than we anticipated?

Let us know in the comments!

It’s time for the first IT Security Rewind of 2012. While 2011 was certainly shaped by several spectacular security breaches, if the beginning of 2012 is any indication, then we are in for another wild ride.

NoSQL is No Small Problem: Dark Reading shines some “light” on a serious vulnerability to track in 2012—the security flaws of database technology NoSQL.  The article highlights that as with many traditional database technologies, the proactive management of privileged identities is a critical component to ensuring an effective security posture within these systems.

SCADA Issues Persist: There’s no lack of examples when it comes to highlighting the prevalence of vulnerabilities that exist in SCADA Systems.  As Sara Yin of Wired highlights through coverage of a recent presentation by Blake Cornell, an independent security researcher, default passwords have played a significant role in recent incidents, including the Siemens breach.  Again, it’s increasingly evident that using advanced privileged identity management technology can be part of an effective solution for managing these risky passwords that can be manipulated to gain wide-scale system access and control.

Consumerization of IT Risk: Consumerization of IT has carried over a hot topic for the security industry —is it 2012’s “cloud”-like buzz word? More importantly, what types of security risks does this trend pose? As reported in NetworkWorld, a survey of 520 CIOs found that 77% said they worry that “further consumerization of IT will lead to greatly increased business risks.” As enterprise technology continues to “go mobile”—this will be an important development to track, especially as individuals use mobile devices, such as phones and tablets, to share and exchange sensitive information.

So, 2012 begins. Let us know your predictions on the biggest security topics to watch for this year.

Returning from a holiday break is never easy, so if you were slightly neglectful to your industry news this week don’t fret – we’ve got it covered. It may have been a week of turkey hangovers for some of us, but the IT industry was busy reporting end-of-year recaps, forecasts for 2012 and of course, breaking news: Here is our summary of this week’s hottest stories.

Looking to achieve a life of “privilege” as an IT security pro? InformationWeek posted its annual “Best Paying IT Security Jobs In 2012” article and guess what? Security professionals can expect salaries to increase by an average of 4.5% in 2012—not bad in such a tumultuous economy. If you are a security professional in a midlevel/ senior role you are in a great position as demand is high. Supply, however, remains a different matter. Robert Half Technology said it expects to see “an abundance of positions and a shortage of skilled candidates.” As expected, the article also reported demand would soon increase for people who could manage “privileged identity management.”

Cyber crime linked to terrorism – In far more serious news, the FBI has revealed that four hackers were arrested in the Philippines last week in connection with an organized attack on the clients of U.S. telecommunications giant AT&T. Law enforcement officials believe the suspects were employed by the terrorist group Jemaah Islamiyah, which has been linked to numerous bombing attacks. According to Reuters, the FBI claims that AT&T’s customers were the targets of the hackers and were not the carriers themselves. An anonymous source reportedly added that the hackers breached the phone systems of AT&T customers and made calls to expensive international premium-rate services.

Water-pump hack pumped with errors – The SCADA hack that resulted in a water pump being destroyed has proven to be false – Wired reported this week that a contractor who was supposed to work on the system logged in according to permissions during a vacation trip to Russia, which was misconstrued as an outside hack.  In truth, the water pump simply burned out, as pumps are wont to do, and a government-funded intelligence center incorrectly linked the failure to an internet connection from a Russian IP address months earlier.

That about wraps it up for this week – we’d love to hear your thoughts on this week’s happenings – leave your comments here…

The Thanksgiving holiday is a great time to reflect on the things we are grateful for in IT security like data protection, fraud prevention, identity management and other preventative approaches. Here’s our look at the biggest stories of the week, where those approaches may have failed.  IT teams take note, don’t let these headlines ruin your turkey dinner:

From Russia, with No Love: According to reports from Wired and CNET, hackers from Russia were able to destroy a water pump at a utility in Illinois by hacking into their SCADA system.  This is a disturbing attack, as the hackers apparently breached the network of the company that made the SCADA system, stealing customer usernames and passwords. Worse—this appears to be very similar in scope and process to the recent RSA breach, and it also highlights to continued vulnerability of SCADA systems to these types of attacks (and the importance of controlling privileged access points and hardcoded passwords).

No Safe Space: Details are just beginning to form surrounding new of a Romanian hacker accused of hacking into NASA beginning on Dec. 12, 2010. Authorities claim that the hacker was able to obtain unauthorized access to protected data—an indication that abuse of privileges may have occurred. The hacker, who ended up destroying most of the data, was arrested and charged with multiple crimes.

No One Loves the IRS, Especially the GAO: In broader security news, the Government Accountability Office (GAO) has blasted the Internal Revenue Service (IRS) for failing to implement stronger security measures after numerous reports regarding organizational weakness in internal control over information security. The GAO takes particular exception to the IRS “deficiencies in its controls over access to the automated systems and software applications” and other weaknesses that “increase the risk of unauthorized individuals accessing, altering, or abusing proprietary IRS programs and electronic data and taxpayer information.” If the details are true, it’s quite evident that the IRS is not effectively and proactively managing privileged accounts and identities.

That’s our news for this week—let us know what we missed, and what you are, or aren’t thankful for in the realm of IT security!

This week we honored Christopher Columbus, someone who undoubtedly took a major risk and in the end, discovered something completely new. Thus it is appropriate that in this week’s IT Security Rewind we must report the passing of the visionary Dennis Ritchie, creator of the C programming language and co-developer of the Unix operating system. eWeek.com provided the following quote from Jeong Kim, president of Alcatel-Lucent Bell Labs, “Dennis was well loved by his colleagues at Alcatel-Lucent Bell Labs, and will be greatly missed. He was truly an inspiration to all of us, not just for his many accomplishments, but because of who he was as a friend, an inventor, and a humble and gracious man. We would like to express our deepest sympathies to the Ritchie family, and to all who have been touched in some way by Dennis.” To read more about Dennis’ accomplishments visit: http://www.eweek.com/c/a/Security/Dennis-Ritchie-Founder-of-Unix-C-Dies-at-70-215748/.

In other security news this week:

FTP may be dying but collaboration is not: eWeek’s Cameron Sturdevant (@csturdevant) took a look at the effect of the consumerization of IT on collaboration tools highlighting some major security vulnerabilities that have arose with the adoption of these free Saas tools.  With the proliferation of mobile devices Sturdevant emphasizes the importance of regulations in file sharing stating, “There are reasons to put boundaries on user collaboration, and licensed SaaS and on-premise tools are often best equipped to put these restrictions into practice. Blocking restricted data is among the chief reasons to curtail user file sharing. Helping well-meaning employees stay on the right side of the law when it comes to using regulated data is an important feature that is missing from nearly all the no-cost Internet services.” We completely agree and hope that Sturdevant will check out our secure file transfer solution to see how we successfully secure data in transit.

The real threat is still Inside: Despite constant media chatter around advanced persistent threats and external hackers, Dark Reading reported on a study that serves as a good reminder to organizations to look inside their organizations for threats within company walls. The study, conducted annually by Amplitude Research on behalf of VanDyke Software, found that a “of the many reasons cited for network intrusions, more than half could be attributed to internal issues: lack of adequate security policies (17 percent); employee negligence (12 percent); unauthorized access by current or future employees (11 percent); employee Web usage (6 percent); and lack of software updates (6 percent).”  Surprisingly, hacker/network attacks accounted for only 14 percent of intrusions; viruses, malware, and spyware were 10 percent.

PCI still a pain point for many: Okay we admit it, we love reports, especially when they support messages we’ve been sending for some time now. This report conducted by Verizon and covered by SC Magazine UK, found that “most businesses that accept credit or debit cards, or both, continue to struggle to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI-DSS).” In fact, of those assessed by Verizon, only 21 percent were found to be fully compliant. These results were almost identical to last year’s which proves that, as an industry, we need to do more to educate organizations and help them to understand how to achieve compliance not just for auditing purposes, but for the protection of their customers’ sensitive information.