In August 2019, a third-party bug bounty discovered a data breach that exposed email addresses, hashed and salted passwords, API keys, and TLS keys for a subset of Imperva’s, a leading provider of Internet firewall services, cloud WAF users. This proves that no matter the vendor, you must perform your due diligence to ensure your own security won’t be at risk by working with a certain vendor – even if that vendor is a cybersecurity provider. So, what exactly happened at Imperva? Why should it matter to you? What lessons can you learn from it? Let’s discuss.

What Happened at Imperva?

The Imperva breach occurred because an unauthorized user stole an administrative API key in a production AWS account. Imperva states that when they were migrating to AWS RDS, “Some key decisions made during the AWS evaluation process, taken together, allowed information to be exfiltrated from a database snapshot.” The major issues that we see are the following, which began in 2017:

  • “We created a database snapshot for testing.” Imperva didn’t do data hygiene and clean out legacy data or have a data life cycle management. Did they really need backups from two years ago?
  • “An internal compute instance that we created was accessible from the outside world and it contained an AWS API key.” Imperva’s perimeter was not secure, which is odd – you would think a penetration test would have detected that instance. You should never be able to access internal instances directly from the Internet.
  • In audits or penetration testing, organizations simply don’t want to test their test environments, but this is problematic because there could be a vulnerability in the test environment that compromises the production environment. Or, what if there’s live data in the test environment? Not performing securing testing in the test environment could jeopardize that data.
  • Was Imperva actively trying to prevent cloud sprawl? You have to know what’s in your cloud environment otherwise it will bite you. The point of entry was a system they simply forgot about that was not properly secured. During our audit engagements, we often find that organizations do not know about the presence or functionalities of systems – they set it and forget it, or test it in AWS and forget it, to later be found by a hacker.

Why Should What Happened at Imperva Matter to You?

Are you a SaaS provider? Do you offer managed IT services? Or, does your organization partner with an MSP or a SaaS provider? If so, Imperva’s data breach should matter to you. Why? Because Imperva’s breach is the perfect example that hackers do not discriminate who they target – even experts in cybersecurity can be compromised – which means your organization can be impacted, too. According to IBM’s 2019 Cost of a Data Breach report, “If a third party caused the data breach, the cost increased by more than $370,000.” So, when partnering with SaaS providers or MSPs to outsource your organization’s information security program, it is critical that you perform your due diligence and form some type of vendor compliance management program to ensure that the entity you’re working with implements best practices. On the other hand, the breach also highlights that SaaS providers and MSPs must ingrain security in their development and implementation processes. When companies rely on SaaS providers or MSPs to manage their sensitive data, they’re expecting it to remain secure. What happened at Imperva will likely happen again, but there are some lessons we can learn from the data breach.

Lessons Learned: AWS Best Practices

Imperva cites sixes corrective actions that they are actively performing:

  • Applying tighter security access controls
  • Increasing audit of snapshot access
  • Decommissioning inactive or non-critical compute instances
  • Rotating credentials and strengthening credential management processes
  • Putting all internal compute instances behind VPN by default
  • Increasing the frequency of infrastructure scanning

These controls and processes are valuable to any organization protecting data, but especially valuable in preventing a security incident. These corrective actions, plus best practices like testing your incident response plan, using penetration testing for security incident analysis, and daily checks of S3 buckets are critical when recovering from a security incident.

All in all, you need to know what you have and test it. Want to learn more about securing your AWS environments? Contact KirkpatrickPrice today to work with cloud security experts.  

More AWS Resources

AWS Security for S3 and EC2

Best Practices for Configuring Your AWS Perimeter

Who’s Responsible for Cloud Security

There were many missteps that led to the Capital One breach, but what’s the one thing that went as planned? From our perspective, Capital One’s incident response plan seemed to function as intended. Incident response is incredibly important following a breach – that’s why having a plan and team in place is required by so many information security frameworks. The data proves the importance of incident response plans as well. IBM’s 2019 Cost of a Data Breach reports that organizations with an incident response team and extensive testing of their plans could save, on average, about $1.2 million on the typical data breach. In Capital One’s case, though, this incident will cost $100 to $150 million in 2019 alone. Is developing and testing an incident response plan worth millions to your organization?

Capital One’s Incident Response Plan

The Justice Department’s Compliant includes the report that was submitted to Capital One’s Responsible Disclosure program on July 17, 2019. By the end of that month, Capital One announced the breach to the public and explained what they knew, the mitigation work they’d already performed, and which customers were impacted.

From Capital One’s announcement, we can determine they took the following steps to validate and mitigate the reported findings:

  • Immediately fixing the configuration vulnerability
  • Working with the FBI to arrest the person responsible
  • Determining exactly what type of information was compromised and how many individuals in the US and Canada were impacted
  • Performing an analysis to determine if the information was shared or used for fraud
  • Notifying customers
  • Answering FAQs like: What was the vulnerability that led to this incident? When did this occur? Was the data encrypted and/or tokenized? Did this vulnerability arise because you operate on the cloud?
  • Making information about the incident available on their online and easily accessible

When a household name like Capital One has a major breach, it makes headlines for years. There are major legal and regulatory ramifications for Capital One to answer to, but as far as basic incident response goes, we admit that Capital One seems to have had a thoughtful, tested incident response plan. This was vital in reassuring the public that, even though their AWS configurations had a vulnerability, Capital One knew how to handle the situation.

The key to an incident response plan is testing it in tabletop exercises, employee training, and other scenarios to determine if it will actually work. When organizations go through information security audits, their auditor will have high standards for the plan and the testing of the plan. What would’ve happened if Capital One wasn’t prepared to react to this incident? Would data have been used for fraud or compromised even further?

6 Steps to Incident Response

With today’s threat landscape, it’s not a matter of if your organization will fall victim to a cyberattack or data breach, but when it will happen. We believe basic incident response plans should have six steps:

  1. Preparation – What are we doing to prevent an incident? How are we limiting the impact of an incident? Have we tested our policies and procedures?
  2. Detection & Identification – How would we identify and detect malicious activity? How do we report an incident?
  3. Containment – Has the appropriate personnel been notified? What evidence should be collected? Have we fully assessed the scope of the damage? How can we prevent further damage?
  4. Remediation – Has a complete forensic analysis been performed? Can we make changes to prevent a repeat incident?
  5. Recovery – Have we securely restored the system? Do we have continuous monitoring to ensure the problem is resolved?
  6. Lessons Learned –What gaps can we now identify? Have we regained customer confidence? Have we reviewed controls and processes to prevent future attacks?

It’s not only up to IT to develop an incident response plan – many other areas of your organization will be involved, especially C-levels and boards of directors. In Capital One’s case, the CEO responded the public about the breach.

If your organization was breached, would your team know what to do? What would the headlines say about your incident response plan? Are you confident in your plan?

If you want to ensure that everyone at your organization knows their role in incident response, let’s talk today about how to train and test your incident response plan.

More Incident Response Resources

SOC 2 Academy: Incident Response Best Practices

Horror Stories: Timehop’s MFA Mishap

Breach Notification: Who, When, Why

When you think about how penetration testing is performed, do you think about testing physical security measures?

While many people believe security breaches only happen on the technical side of an organization, they can also start in your physical environment. You may find it surprising to know that some of the most advanced security attacks originate from an area as simple as a garbage can.

Items such as:

  • Bank statements
  • Credit card offers
  • Personal letters
  • Magazines
  • Receipts

…are just a few items found in the trash that can give a hacker the info they need to launch significant security attacks on a person or organization.

It may be easy to think of a hacker sitting in a dark room somewhere, spending hours trying to break through your firewall and using malware to compromise your systems, but that’s not the only way malicious individuals initiate security attacks.

To protect your secure information, your organization must pay attention to both its technical security and physical security, and consider incorporating social engineering and physical security testing into penetration testing engagements.

7 Ways to Protect Sensitive Information from Physical Security Attacks

There are many ways physical security plays a role in the protection of sensitive information. To make sure your organization is as secure as possible, you can take these important steps towards securing your physical assets:

1. Securely destroy sensitive documents

Trash cans should be placed in an open area that’s visible to personnel, or maybe even in a guarded area, so that anyone who might try to breach your physical security via information in the trash will be caught. Do you shred and securely destroy items that contain personal or sensitive data before going into the trash to protect that information from being pieced together?

2. Implement policies & procedures

Proper policies and procedures should be in place so that employees are well-trained on appropriate security actions for daily activities. Whether that looks like locking doors, keeping security badges on at all times, or requiring all visitors to remain with employees in secure spaces – making sure that every employee understands what is expected of them is important in keeping your data secure.

3. Secure network entry points

Identifying all network entry points is a good practice to prevent wrongful persons from accessing your organization’s systems. Ethernet ports in open areas prove to be tantalizing access points for malicious individuals.

4. Monitor key physical security points with cameras

Security cameras are a great deterrent from hackers who look for easily accessible entry points hidden from view. Part of your organization’s physical security measures should be placing security cameras in areas where secure information is received, processed, and discarded.

5. Monitor all sensitive documents – even locked ones!

Locking secure documents in drawers is a good practice to implement, but these locked areas must also be monitored. A common tool hackers use in physical security attacks is a CH751 key. This key has the greatest likelihood of unlocking simple locks such as those in desk drawers, storage containers, and even elevators, which means securing your documents in a locked filing cabinet isn’t enough. These areas must be monitored at all times.

6. Be careful of after-hours

It’s not uncommon for hackers to slip into your office space unnoticed as everyone leaves for the day. KirkpatrickPrice penetration testers have even waited in office building bathrooms to stake out the best time to enter secure areas and locate security vulnerabilities. Making sure that your office building is secure at all hours of the day is important to protect yourself from security attacks.

7. implement auto-lock computer policies

A practice as simple as auto-locking computers when employees step away from their desk is vital for your organization’s physical security. It only takes a few seconds and an open USB port for hackers to breach your system and install malware.

These practices are just a handful of ways your organization can be proactive in securing assets against security attacks. How can you be sure your current procedures have covered all avenues of entry into your systems? That’s where penetration testing comes in. Through the various types of penetration testing, your organization can gain greater assurance that you have secure practices in place.

Why Penetration Testing Makes a Difference for Physical Security

Penetration testers use the same tricks hackers use in malicious security attacks when they are testing your systems for vulnerabilities. They know that your organization’s physical security is the first line of defense against hackers. That’s why they use tactics such as picking locks to reach areas that are supposed to be off-limits, cloning badges of unsuspecting employees, and scouting out employee workstations to find the right moment to compromise it. At KirkpatrickPrice, our penetration testers perform skilled social engineering and physical security tests to locate vulnerabilities that your organization may be missing.

As an information security firm, we often hear from our clients that they have an internal penetration testing team but aren’t interested in a third party conducting tests on their systems.

Would you choose to test your own building for fire safety or would you rather receive a fire safety report from a Certified Fire Protection Specialist?

Of course, you would choose to have an expert test your safety features to be sure you’re protected against any serious threat of a fire. In the same way, it’s important to have a third-party penetration tester involved in hunting for vulnerabilities within your system, both technically and physically.

When a penetration tester engages in an onsite visit, they are able to recognize physical security weaknesses and help you mitigate your risks. Instead of hoping your security practices will stand against a hacker’s ill intent, you can make sure you have the right procedures in place with a penetration test.

Contact KirkpatrickPrice today to learn how our expert penetration testers can test your security controls and locate your vulnerabilities to help you prevent any security attacks!

More Penetration Testing Resources

5 Information Security Considerations to Make Your Startup Successful

Avoiding a Pen Testing Mishap: What Are You Really Paying For?

3 Hacks to Get the Most Out of Your Penetration Test

What is Penetration Testing?

Pen testing is a valuable investment for any organization – it’s a critical line of defense used to protect and secure your sensitive assets from malicious outsiders. But for organizations that have never undergone pen testing, or for those who have never even heard of penetration testing before, it’s understandable why you would have questions like: What is pen testing? What parts of my organization should be undergoing penetration testing? Who should I hire to perform my pen testing? In this webinar, KirkpatrickPrice’s President, Joseph Kirkpatrick, will answer these questions and more.

Penetration testing is a form of permission-based ethical hacking in which a tester attempts to gain access to an organization’s people, systems, or locations. The purpose of pen testing is to find vulnerabilities that could potentially be exploited by a malicious hacker as part of your ongoing risk management practices. However, often times, either out of ignorance or deceit, we see firms pass off vulnerability scans as penetration testing. Let’s be clear: vulnerability scans are not penetration tests. Vulnerability scans are great for discovering low-hanging fruit, but they should not be confused with an advanced, manual penetration test. Vulnerability scanners are only capable of matching patterns and definitions and are unable to find flaws that require human logic and comprehension. This is why investing in penetration testing, in conjunction with running vulnerability scans, is necessary.

Which Assets Are Vulnerable?

In order to know what your organization needs to pen test, you need to identify which assets in your organization are susceptible to cyberattacks and the financial, reputational, and legal implications if those assets were to be compromised. Assets that your organization should consider pen testing might include:

  • Call Center
  • People
  • Records Facility
  • Internet of Things
  • Corporate Office
  • Data Center
  • Wireless Connections
  • Externally Facing Applications
  • Internally Facing Applications
  • Mobile Applications
  • Computers

Ultimately, your organization should be penetration testing any asset that you want to make stronger. If you’re ready to embark on your pen testing journey, watch the full webinar to learn more or contact us today to speak to an Information Security Specialist.

Every month there is headline after headline reporting about new data breaches. Whether it’s a ransomware attack, a negligent employee opening a phishing email, or a state-sponsored attack, millions of individuals are impacted by data breaches and security incidents on a regular basis. Let’s take a look at some of the top data breaches that occurred during October and the lessons we can learn from them.

Krystal Fast Food Chain

What Happened?

In mid-October, popular southern fast food restaurant, Krystal, notified customers of a data breach impacting one of their payment card processing systems. While the organization is still working to investigate the data breach, here’s what we know according to a statement released by Krystal: “The security incident may have involved payment cards processed by a payment processing system used at certain restaurants between July through September 2019…We are working hard to determine the specific locations and dates for each restaurant involved in the attack. To date, our investigation has determined that about a third of our restaurants that are not impacted.”

Lesson Learned

This is not the first time a hospitality organization has experienced a data breach of this nature. In fact, attacks on POS systems are one of the most common among the hospitality industry, accounting for 90% of all breaches. To avoid enduring the fallout of a compromised POS system, organizations must be sure that the third parties that digitally process payment card information on behalf of their business must follow information security best practices and meet required security standards, like PCI and HIPAA.

Country of Georgia

What Happened?

Early last week, the country of Georgia suffered a major cyberattack – one that caused 2,000 sites to be taken down, including government, law enforcement, and media outlets. While the exact cause of the breach is unknown, many believe it to be a political attack, as many of the affected sites’ homepages were defaced with a photo of former Georgian President, Mikheil Saakashvili, in front of a Georgian flag, captioned with the phrase “I’ll be back.”

Lessons Learned

Politically motivated cyberattacks are becoming more and more common, and countries must be sure that they have a robust cybersecurity program in place, including a well-rehearsed incident response plan, in the event that a data breach occurs. While the breach impacting Georgia was one of the largest cyberattacks the nation had ever seen, their cybersecurity team was able to quickly contain the incident and get sites back online.

American Cancer Society

What Happened?

On October 24th, security vendor Sanguine Security’s global malware monitor found malicious code associated with Magecart on the American Cancer Society’s e-commerce store. The payment skimmer was injected into the American Cancer Society’s site on October 24th and was removed the next day.

Lessons Learned

The healthcare industry is just as responsible for securing payment card information as they are protected health information. When a healthcare organization, like the American Cancer Society, offers services that collect, use, store, or transmit any kind of payment card data, they must be sure to effectively mitigate any risks. This could be done using code review to find XSS flaws using OWASP’s XSS prevention rules, or it might involve undergoing web application penetration tests. Either way, we know that the healthcare industry is increasingly vulnerable to cyberattacks, and it’s necessary that healthcare organizations start performing their due diligence to provide the quality care and security that patients deserve.

CenturyLink

What Happened?

In mid-September, security researcher Bob Diachenko discovered an exposed MongoDB database that had been publicly accessible for at least 10 months. The database contained 2.8 million records including names, addresses, email addresses, and phone numbers. CenturyLink worked to close the exposed database within two days of being notified about the breach on September 17th but asked that Comparitech wait to publicly announce the breach so that they could investigate the security incident.

Lessons Learned

A primary takeaway from this breach is that given the association to CenturyLink and the PII involved, an attacker could craft a customized phishing campaign which includes some legitimate information, which could trick even a moderately-trained victim. As always, user education, security awareness training, and simulated phishing testing is a good idea for organizations to consider.

At KirkpatrickPrice, we know that data breaches are only a matter of when, not if, they’ll occur, no matter what industry you’re in or the size of your company. That’s why we’re committed to offering a variety of quality, thorough assurance services to help keep your organization protected. Want to learn more about our services and how they can help you mitigate the risk of experiencing a data breach? Contact us today.