Lessons Learned from a Major Hack: Part 2

Lessons Learned from a System Major Hack
©Deemerwha studio – stock.adobe.com

How Can We Prevent This?

Once we understand what happened and how, it is now time to learn from it and build a plan to remedy it and ensure such scenarios cannot happen in the future. You know the saying, “Fool me once...”


However, in this case, we know that this very company was allegedly hacked a couple of years ago and ended up paying a ransom to the hacker to delete the stolen data and “keep it quiet”; but based on what occurred, it looks like they did not learn from this and still need to review their security posture and engineering cultural failures.


How Did This Happen?

Security posture is made up of many critical components – including network, hardware, software suite, policies, data, and people – that all combined deliver an overall status of an organization’s cybersecurity readiness. As organizations transition to the cloud to decentralize their 

infrastructure and make it available globally to all their employees, no matter where they are and what type of device they use, it is time to implement a Zero Trust architecture, whose motto is “never trust, always authenticate”, where no user, device, or app is considered “secured” just because it is known and/or within a predefined secure perimeter, but instead should be constantly verified. When considering security, it is always advisable to prepare for the worst and expect the unknown. 


From a technical perspective, this is achieved using a combination of advanced security features, like Zero Trust Network Access (ZTNA), Multi-Factor Authentication (MFA), and Risk-based authentication (RBA) to name a few.  


Part 1. Improve MFA

Multi-Factor Authentication (MFA) is a great security mechanism that organizations must implement as part of any Zero Trust architecture. However, it is not the magic key to perfect security and still has its few weaknesses that can be exploited. Security is larger than just one solution, so other security mechanisms should be implemented in combination with MFA to strengthen it even more.


Hardware Security Keys

One option is to use hardware security keys, which are small devices used in the multifactor authentication process to verify access and strengthen security on accounts. Employees need to physically plug them into their computers, mobile device USB port, or connect them to their mobile device wirelessly using Bluetooth when authenticating, to prove their identity before they can access specific resources on the internal network. For example, when connecting to a corporate website, their browser would issue a challenge to the hardware security key, such as specific information about the resource, like domain name. The key would then cryptographically sign and allow the challenge, logging the employee into the service.


Some corporations reported blocking similar attacks, thanks to the use of said keys, as part of their MFA process. One of the pros is that physical tokens cannot be phished, unlike software tokens such as SMS or Push Notifications. Some of the cons are the additional cost and possible inconvenience for the employees, who would need to carry an extra piece of hardware with them, similar to using an RSA hardware key to authenticate with a Virtual Private Network (VPN). This part might be hard to “sell” to the employees, who are used to having everything more and more conveniently digitized.


Number Matching

Another important improvement to MFA, offered by many Identity and Access Management (IAM) providers, is number matching. During the MFA authentication process, employees will see a complementary number that they will need to punch into the corporate authenticator app on their mobile device before they can complete said process and be able to access services.


This makes the MFA process much more robust against social engineering attacks, as the hacker would need to have access to both the employees’ credentials AND one of his MFA-registered devices, to access the push notification and enter the exact matching number.


Protect Your Privileged Accounts

A privileged user is someone trusted enough to have administrative access to a company’s critical system, often referred to as “super admin” or “root” (especially in the Unix world). Such users can pretty much do anything on said systems, from creating to deleting user accounts, mailboxes, documents, data, etc. as well as starting or stopping business services, including internal communication systems. Therefore, it is important (and too often overlooked) to control and monitor such accounts the same way as any other account; it is a security principle to never completely trust anyone or anything unconditionally. Such accounts could fall into the wrong hands or be used incorrectly by the right ones, either accidently or intentionally, and the impact can be catastrophic.


To avoid that, a Privileged Access Management (PAM) solution should be implemented. It offers the possibility to authorize/control and monitor/audit, in real-time, all privileged user accounts on all relevant back-end systems. This helps reduce the risks and vulnerabilities produced by human mistakes or negligence, as well as possible misuse by impersonation from a malicious actor.


Following the security “Principle of Least Privilege” – which defines that a user should always be given only the minimum privileges required to complete a specific task on a specific system – PAM would protect privileged accounts and critical systems by, for example:

  • Granting privileges only to the systems employees are authorized to access
  • Granting such access when needed and revoking it after a certain time (e.g., enough to complete a specific task)
  • Preventing them from using local system password, but rather their own account with required permissions
  • Centrally managing, monitoring, and auditing these privileges accounts and their access to critical systems 

Implement Data Loss Prevention (DLP)

The loss or unauthorized exfiltration of business and regulatory sensitive information can provoke tremendous financial and reputational losses to any organization, including significant legal troubles.

It is crucial to be able to detect and prevent such exfiltration on time, while also ensuring compliance with existing data regulations.


Data Loss Protection (DLP) will help achieve that by categorizing all discovered internal documents matching company-defined policies, determining which documents are sensitive and need to be watched closely. Then it will detect and prevent data exfiltration, which can happen when uploading a document to an external website, sending an email containing sensitive information or simply copying files to a removable media (e.g., USB drive) or over the network to another computer. Behind these innocent daily actions performed by everyone could be a potential unauthorized exfiltration, and this is where the DLP solution comes into play, by reporting back to the security administrator by email and/or using a dedicated Critical Event Management (CEM) solution.


Supervise Your Ecosystem

Monitoring is a key part of any IT infrastructure, required to keep an eye on “what’s going on” and ensure good quality of service for end-users and peace of mind for everyone involved, from the IT support team up to senior leadership. Without a monitoring solution, a company and their IT team is blind and cannot react in time when an incident occurs, including service disruption. Implement a vendor-agnostic, supervision solution that can work with many types of systems, from web and mail servers to Unified Endpoint Management (UEM) solutions, as well as cybersecurity suites used for threat detection, prevention and response (EPP, EDR, and MTD).


Backup Your Data

Regularly backup (at least daily) all your Mission Critical servers and data, preferably to an external physical medium (e.g., tape) and store them in a safe, to ensure your servers and data cannot be deleted accidentally or even intentionally without gaining physical access to it. If possible, have multiple copies in different locations, for redundancy. Finally, you want to test these backups every now and then to ensure data can be retrieved correctly; we know of so many companies that had to use a backup in a critical situation only to realize these were corrupted and nothing was retrievable! You surely do not want that.


As we have said before, there is no single solution when it comes to protecting your infrastructure and data. The smartest approach to cybersecurity is a holistic one – considering your infrastructure, all its components, and the ways in which you are prone to cyberattacks. Implementing a monitoring solution(s) is key to having a comprehensive overview and control of your infrastructure, but you must also consider the need to protect corporate data in all its states – in transit, in use, and at rest – and ensuring that only the appropriate parties have access to this sensitive data, whether this is done through Multi-Factor Authentication (MFA) or Role-Based Access (RBA). It is also important that whatever methods you choose to implement for your security posture, you should always have a back-up plan prepared. Please feel free to contact the team at ISEC7 with any questions related to cybersecurity and protecting your infrastructure and we can help you bolster the security posture of your unique environment.



Note: Please fill out the fields marked with an asterisk.

(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group