- SOAR 101
Welcome to our first Data Breach of the Month post, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.
In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.
So without further ado, our breach of the month for September 2017 is … North Korea’s theft of South Korea’s “full-scale” war plans.
The incident was just recently reported, but the actual breach occurred in September 2016. The South Korean government has confirmed that North Korean hackers stole 235 GB of data from the Ministry of National Defense. The stolen data included operational plans drawn up by the American and South Korean militaries for full-scale war with North Korea. There were also more specialized plans to decapitate North Korean leadership or respond to localized provocations.
The files were stolen from the military’s intranet, which is isolated from the Internet, making it virtually impossible to hack through conventional methods. However, maintenance work in 2015 had left a connector jack linking the intranet to the Internet, and no one noticed the mistake for a year, leaving the system exposed.
As is often the case in major hacks, the attackers’ way in was through a third party. The hackers gained access to antivirus vendor Hauri Inc., and embedded malware on their software, which was then delivered to South Korean military servers.
There are two root causes at play here: the forgotten connector jack and the third party risk associated with the antivirus vendor. In both cases, there is a clear procedural gap, along with potential technology shortcomings.
A missed connector seems like the easiest thing in the world to spot—especially in the constant high alert of a military facility, but breakdowns do occur without the right processes in place. Checklists and playbooks can protect against this type of error, and should be particularly strict around critical tasks—in this case, preventing any external connectivity. Following a breach, playbooks should be followed to ensure that the vulnerability has been managed and remediated effectively.
Additionally, looking at the breach as a technology breakdown, internal managers should assess alternatives that allow maintenance to occur with less risk. In this case, was there an approach that could have facilitated maintenance without requiring temporary connectivity?
Managing third party risk is more difficult. The reality is that any partner brings with them significant risk, even your security vendors. What you can do is minimize the impact a single vendor can have within your environment. Consider how access controls are managed in your organization, both physical and virtual:
As we learned in the infamous Target breach, proper data segregation is an often-overlooked way to insulate your company against the possibility of a significant breach occurring via a third party. As you may remember, Target’s refrigeration vendor was compromised, giving attackers access to Target’s systems. But because of the inadequate segregation, instead of merely gaining access to an isolated vendor portal, the attackers were able to move between vulnerable systems, from a facilities database, to the billing system, and eventually to millions of customer records. We all know what happened next.
Your company might not have to protect itself against Kim Jong Un’s 1,700 state-sponsored hackers (we hope), but you should still consider the simple steps we’ve described to protect against data breaches of this type.
We’ll see you back here next month for a new Breach of the Month..