And what we can learn about our own security habits
This past month, Uber suffered a large-scale data breach through a multi-factor authentication (MFA) fatigue attack. While this attack is concerning and highlights the vulnerabilities of the company, this is not the first time a large company has been the victim of an attack like this. Due to the ever-evolving nature of hacking techniques, Samsung, CISCO, LinkedIn, Microsoft, and many other NYSE listed companies often face these threats and successful attacks.
So, what happened?
Hackers have identified employee credentials as the easiest point of compromise within businesses. As with many recent data breaches, the use of Social Engineering (the manipulation of individuals into handing over confidential information) was employed in the hacking of Uber.
In this case the attacker likely purchased the employees’ passwords on the dark web. After this the MFA attack was initiated, spamming employees with MFA authentication requests until they eventually authorized access under duress, allowing the hacker to successfully log in.
The hacker did not gain elevated access rights to critical resources but did have access to a network share. The hacker located an unprotected, sensitive, and highly privileged script – with hard-coded privileged credentials that allowed them to get elevated permissions to several tools Uber used to store confidential customer and financial information.
Although the hackers only gained access to some information from Uber’s users, they still managed to breach their security. It’s possible that the hackers also gained access to sensitive information such as residential addresses, email addresses, license numbers, and even bank account information.
What can we learn from this?
What made the Uber incident unique wasn’t the method of entry nor any step after that, but that Uber wasn’t a cut and dry example of bad security. Most of their security systems are pretty standard and would measure up to many other companies. However, with the time to exploit vulnerabilities decreasing to below 5 days and because MFA breaches allow hackers to go under the radar for longer, it is more critical than ever to recognise the signs of an attack early. In this case, the failure was not due to one individual or security tool, but rather the policy, procedure, process training and education of employees to be vigilant and knowledge that IT would never ask employees to accept MFA requests on their behalf. Instead, this would be an anomaly that is reported to service desk. Through this, the attacker was able to penetrate a level of security without being detected.
Due to a large network footprint of usernames and passwords, the end point of security for businesses are the employees. Added to this, the landscape of business globally has changed from the physical barriers of a building to hybrid work which allows employees to work from home. This means that the way that we train and educate our employees about security needs to change. In addition to prevention, it is also important to know how to recognize signs of an attack by ensuring that employees have a high level of understanding of security processes and hacking trends.
Our experts’ tips
Our InfoSec team gave these important guidelines on how to be mindful of your role when it comes to security in an organization:
· Be sure to read, understand and complete the latest security education/training provided.
· Be vigilant and always question – don’t be afraid to ask your security team if something seems off.
· Be cautious with the networks you connect to by checking the legitimacy.
· Know that every compromise starts with someone’s credentials. The part you play is important.
Below are the things that make a person vulnerable to a Social Engineering attack and are the most significant things that a person should safeguard and practice vigilance around. This is an easy way to understand the importance of an individual in the landscape of security:
1. Something you have e.g. Multifactor Authentication App
2. Something you are e.g. Your username and identity
3. Something you know: e.g. Confidential information like your password
How we’re working to become a safer and more vigilant company
· Online training material to keep employees up to date with the latest threats.
· Using security defenses along with education.
· Being part of security communities that share new and emerging threats.
· Early insights through large international intelligence agencies.
· Employing mitigation strategies rather than reactive defenses.
How this impacts us
If we are compromised there would be consequences including the potential to lose our license in the affected market. This reputational and material impact means that we could be refused to operate in new markets. And of course, any data comprise could impact our ISO 27001 certification which impacts our ability to enter new markets, loss of access to existing ones, or facing hefty fines.
As is evident from the latest Uber scandal, these types of hacks not only affect the reputation of brands but can have a grave impact on the security of the clients involved. As a listed company it is more pertinent than ever to protect our clients’ personal information and data by taking responsibility for your personal data security. Thanks to our InfoSec experts, Stephen Little, Delphine Bagwire and Amy Van Gee for your opinions and advice.