As part of this week’s IT Security Rewind, we have decided to take a deeper examination into recent massive data breaches to demonstrate how attackers continue to exploit administrative and privileged accounts to conduct their system-wide damage. We’ll also preview our soon to be released eBook, which covers similar ground through an even more historical examination and discussion of solutions to effectively manage, secure and mitigate the threats associated with privileged credentials.

Data Breaches Gone Wild

First, let’s take a look at some recent attacks that have forced IT insiders and stakeholders to reevaluate their proactive approaches to security and access control:

• Last December, the U.S. Chamber of Commerce confirmed that compromised administrator accounts led to an attack by Chinese hackers. The breach compromised the information of the Chamber’s 3 million members.
• In March of this year, a Global Payments breach exposed financial data belonging to 1.5 million uses of Visa and Mastercard. Analyst firm Gartner has claimed the attack resulted from a weak authentication mechanism that enabled access to an administrative account.
• Most recently, this month, attackers were able to exploit health records stored by the Utah Department of Technology Services by cracking a “weak” default administrative password. Once inside, the servers, and the data housed there, were compromised.

The Privileged Pathway

In all three of these well-publicized cases, hackers were able to bypass perimeter security controls to gain access to target systems through the same poorly protected and wide-open gateway: privileged and administrative accounts. In each case, once inside, attackers leveraged the privileged account to gain access to additional servers, databases and other high-value systems that only a select few people are actually granted permission to access.  The result, as demonstrated by the above, is easy access to millions of sensitive records.

Unfortunately these accounts have emerged as a primary target for hackers because infiltration is possible through rather simple means—an easy-to-crack password, spear-phishing or exploitable zero-day vulnerability.  In the Utah case, it was a weak password that was supposed to protect a very sensitive privileged access point on a server that caused the breach.

The Problem with Sharing

The problem that continues to persist is that privileged accounts are often shared with passwords that are rarely changed.  This remains the great paradox in the world of identity and access management and security in general—while attackers are targeting these incredibly sensitive access points, personal passwords to websites such as Facebook have even higher standards of security and strength.

These vulnerabilities are not limited to a specific industry – we see it across the spectrum.  In fact, this is very similar to the weaknesses and vulnerabilities at the Bonneville Power Administration highlighted by the Energy Department.  Auditors uncovered 11 servers configured with weak passwords – including one that hosted an administrative account with a default password.

While troubling, reports of this nature are commonplace and are a contributing reason as to why we continually see massive breaches of this nature in the headlines.

Cyber Attacks and Privilege: Stay Tuned for More

For Cyber-Ark, these trends and developments are startling but not novel. Next week, we’ll be releasing a new eBook—“Don’t Give Cyber Attackers the Privilege–focused specifically on the proliferation of cyber attacks targeting unmanaged privileged accounts. The report outlines a history of this abuse dating back to January 2010 through a compilation of privileged-related attacks. The eBook also outlines the steps required to control these access points through privileged identity management.

This week’s IT security news coverage was shaped largely by the fall-out associated with Nortel’s 10 year data breach, which has now been attributed by some as one of the primary factors impacting the company’s ultimate downfall,  some speculating that competitors were able to gain access to sensitive IP over the course of a decade.  Here are several stories we think offer the best perspectives on the breach.

• History of a Decade-Long Hack: According to the Wall St. Journal, using seven passwords stolen from top Nortel executives, hackers penetrated Nortel’s computers, repeatedly downloading technical papers, R&D reports, business plans, employee emails and other documents.  From our standpoint, this is another high-profile example of the need to better manage and control privileged access.  With relative ease, it appears the hackers were able to use the passwords to access the network, then, once inside, elevate privileges in order to access sensitive data and information.  From an industry standpoint, Nortel’s ‘inaction’ is inexcusable.
• Expect Defenses to Fail: So what can we learn from all this? Information Week published a piece that took a first crack at some answers, “8 Lessons From Nortel’s 10-Year Security Breach.”  Some quick take-a-ways?  Expect defenses to fail, conduct a thorough forensic analysis and expect greater accountability.
• An Empowering Cybersecurity Bill?: In other news, called “critical” in order to avoid our country suffering a “catastrophic attack,” a bipartisan group of senators introduced long-awaited cybersecurity legislation. According to CSO, this is a comprehensive bill that would encourage the sharing of information about threats and attacks between government and industry.  Specifically, the Cybersecurity Act of 2012 would give the Department of Homeland Security power to regulate the kind of company security protections government deems necessary to protect critical infrastructure — such as power and phone companies, water and treatment plants, wireless providers and other companies based on DHS risk assessments.

We’d like to hear your thoughts.  What lessons do you think we can learn from Nortel?  What are your hopes for outcomes from the Cybersecurity Act?

At Cyber-Ark we don’t typically like to brag about our achievements, but we have had such a great week that we can’t help but show off a bit. This year we have been shortlisted for not one, not two, not even three but FOUR SC Magazine Europe Awards! We are very excited and wanted to send our congratulations to all of the finalists that were also shortlisted in the Best IAM Solution, Best Remote Access, Best Security Management and Information Security Product of the Year Categories. While we’ve been celebrating we’ve also been paying close attention to some evolving stories in cyber legislation as well as an interesting twist on a phone hacking and wanted to put stories out there to get our readers’ opinions:

• Bloomberg Businessweek reported that the Cyber-Security bill has been delayed in reaching a vote on the Senate floor.  The Senate bill would authorize the Homeland Security Department to identify infrastructure that’s “considered critical to U.S. economic and national security” and develop standards that must be met to protect them. Understanding the security threat that cyber war poses on our nation and the number of sophisticated hackers out there, advisors are doing their best educate the Senate on the urgency behind this bill. Bruce McConnell, a counselor to Napolitano on cyber security matters stated, “What we were here today to do was make sure the Senate understands the severity and importance of the threats that we’re facing and the need for action.”

• Trying to hide your organization’s data breach? VeriSign proved this week that you can actually get away with it. After scouring 2,000 SEC filings Reuters reported this week that VeriSign was actually hit by hackers back in 2010 but did not report the breach until their SEC filing in October of 2011. How is this possible when the company states that “more than half (56%) of the world’s DNS hosts rely on the VeriSign .net and .com infrastructure”? Well, as long as credit card data isn’t involved organizations actually aren’t forced by the government to reveal a breach to the public.

• Finally, FOX News and other outlets reported that a phone call between the FBI and Scotland Yard was recorded and released online by the hackers in Anonymous. Luckily, the FBI said that there was no classified information on the call, but it was still accessed illegally. Anonymous tweeted that they were able to hack the phone call by compromising an investigator’s emails. If the call is authentic, it is quite jarring that the group was able to hack into the very call that discussed proceedings for past offenses.

We’d love to get your thoughts on these legislative issues as well as the phone hacking – do you think the Senate is taking the threat of cyber war seriously? Should VeriSign have been forced by law to reveal that they were breached? Is Anonymous a bigger threat than we anticipated?

Let us know in the comments!

It’s time for the first IT Security Rewind of 2012. While 2011 was certainly shaped by several spectacular security breaches, if the beginning of 2012 is any indication, then we are in for another wild ride.

NoSQL is No Small Problem: Dark Reading shines some “light” on a serious vulnerability to track in 2012—the security flaws of database technology NoSQL.  The article highlights that as with many traditional database technologies, the proactive management of privileged identities is a critical component to ensuring an effective security posture within these systems.

SCADA Issues Persist: There’s no lack of examples when it comes to highlighting the prevalence of vulnerabilities that exist in SCADA Systems.  As Sara Yin of Wired highlights through coverage of a recent presentation by Blake Cornell, an independent security researcher, default passwords have played a significant role in recent incidents, including the Siemens breach.  Again, it’s increasingly evident that using advanced privileged identity management technology can be part of an effective solution for managing these risky passwords that can be manipulated to gain wide-scale system access and control.

Consumerization of IT Risk: Consumerization of IT has carried over a hot topic for the security industry —is it 2012’s “cloud”-like buzz word? More importantly, what types of security risks does this trend pose? As reported in NetworkWorld, a survey of 520 CIOs found that 77% said they worry that “further consumerization of IT will lead to greatly increased business risks.” As enterprise technology continues to “go mobile”—this will be an important development to track, especially as individuals use mobile devices, such as phones and tablets, to share and exchange sensitive information.

So, 2012 begins. Let us know your predictions on the biggest security topics to watch for this year.

Returning from a holiday break is never easy, so if you were slightly neglectful to your industry news this week don’t fret – we’ve got it covered. It may have been a week of turkey hangovers for some of us, but the IT industry was busy reporting end-of-year recaps, forecasts for 2012 and of course, breaking news: Here is our summary of this week’s hottest stories.

Looking to achieve a life of “privilege” as an IT security pro? InformationWeek posted its annual “Best Paying IT Security Jobs In 2012” article and guess what? Security professionals can expect salaries to increase by an average of 4.5% in 2012—not bad in such a tumultuous economy. If you are a security professional in a midlevel/ senior role you are in a great position as demand is high. Supply, however, remains a different matter. Robert Half Technology said it expects to see “an abundance of positions and a shortage of skilled candidates.” As expected, the article also reported demand would soon increase for people who could manage “privileged identity management.”

Cyber crime linked to terrorism – In far more serious news, the FBI has revealed that four hackers were arrested in the Philippines last week in connection with an organized attack on the clients of U.S. telecommunications giant AT&T. Law enforcement officials believe the suspects were employed by the terrorist group Jemaah Islamiyah, which has been linked to numerous bombing attacks. According to Reuters, the FBI claims that AT&T’s customers were the targets of the hackers and were not the carriers themselves. An anonymous source reportedly added that the hackers breached the phone systems of AT&T customers and made calls to expensive international premium-rate services.

Water-pump hack pumped with errors – The SCADA hack that resulted in a water pump being destroyed has proven to be false – Wired reported this week that a contractor who was supposed to work on the system logged in according to permissions during a vacation trip to Russia, which was misconstrued as an outside hack.  In truth, the water pump simply burned out, as pumps are wont to do, and a government-funded intelligence center incorrectly linked the failure to an internet connection from a Russian IP address months earlier.

That about wraps it up for this week – we’d love to hear your thoughts on this week’s happenings – leave your comments here…