The Hard Cold Truth – Somebody Else’s Breach Could Become Your Problem
Did you read yesterday’s article in The New York Times about eBay’s breach? The piece stated that “Security experts warned that stolen information would make eBay customers easy targets for phishing attacks…” And then this morning, Businessweek reported that eBay assured users and stockholders that hackers gained no credit card numbers or other financial information. Businessweek also reported that the attackers gained access to a computer database that held the names, email addresses, street addresses, phone numbers and dates of birth of eBay users.
What did both articles fail to mention? This breach could potentially mean trouble for your organization.
According to The New York Times, hackers gained access to the personal data of 145 million customers. That’s a lot of people. The large majority of those people work somewhere. Maybe they work for your company? If so, and if one of them is successfully phished – via corporate OR personal email address – and uses a corporate laptop to visit a site that includes successful code execution, anywhere that laptop goes is potentially at risk. Lots of bad stuff can happen from simply getting an email address.
Here’s how it could go down:
• Attacker sends a phishing email to target.
• Target takes the bait and clicks on a link.
• Attacker gets remote execution – the computer opens a port and sends the attacker a way to interact directly with your system.
• Attacker has bypassed firewalls, routers – you name the technology – and is inside your network.
• Attacker can now see what other computers are out there, can get a stronger foothold, looks to escalate privileges and meets his objectives (security credit card data, competitive information, etc.).
The truth is that most companies do a terrible job with segmentation, or just plain ignore the concept all together. That’s because it’s often a complete pain to figure out what type of segmentation is logical and appropriate. However, it’s important enough that we strongly recommend it in every single assessment we do.
Do you have a process set-up for proper notification and issue handling? If there is a large phishing attack on your organization and an employee calls the help desk, will they know what to research and how to prevent access? Can they assess what actually happened and if the network is now at risk? Being prepared makes a huge difference in how an attack impacts your organization.