By now I am sure you have seen and read enough IT security "predictions" for 2019. As cynical as it may seem, I often chuckle at the alignment of an author's predictions and the solutions and services that they sell. Coincidence? Or good marketing?
I will leave that with you.
But what is the best way to plan for 2019?
"Study the past, if you would divine the future" - Without historical IT security philosophers, I have assumed a Confucius quote.
With that in mind, understanding the mistakes of the recent past gives us a good idea of the current trends and capabilities of those who work against us. And with that, here are 2018's worst breaches and how they could have been avoided.
1) Aadhar - The Insecure API
Aadhar is an ambitious project in India designed to create a national identification database of all Indian citizens, in a country where remote regions, challenging infrastructure and diverse languages have prevented such recording-keeping in the past.
The government database assigns each citizen with a 12-digit ID number, which can then be used to access services such as banking and government social programs.
Through an insecure API, used for interconnecting services, over 1.1 billion records including names, addresses and the 12-digit IDs were freely available. Discovered only in March, the Indian Government has no clear idea how long this vulnerability has existed nor how many times it has been exploited.
API's are commonplace in software today, with interconnectivity, integration and automation being key features for most modern projects. However, securing this access is critical.
[You may also enjoy reading "What is the difference between Artificial Intelligence, Machine Learning and Deep Learning?"]
All API access should include the following capabilities, to ensure their security:
- A unique API key used for authentication, for each supplier or connecting party, re-generated after a period of time.
- Session API keys, which are created post-authentication and destroyed at the end of the session, ensuring that sessions are secured between the API and the connecting party.
- Auditing is turned on and actively monitored for anomalous behaviour.
- APIs are tuned to only provide access and functions which are required by that connecting party.
None of these recommendations would be surprising if we were speaking about a graphical user interface. Yet, sometimes APIs are not treated in the same way, maybe because they are less understood and therefore not easily scrutinised.
In any case, a top tip for 2019 is to secure those API points with levels of security which are expected in any part of your network.
2) Marriott - SQL Injection and Known Vulnerabilities
More widely reported on in Europe was the breach at hotel giant Marriott, or more specifically the reservation database of an acquired brand known as Starwood Hotels.
Up to 500 million guest reservations were breached, with names, addresses, passport numbers, date of birth and information regarding their stay all compromised. Sadly, Marriott have been accused of being aware of a similar breach which dates back to 2014, and thus not sufficiently correcting the issue before the 2018 breach.
There were three key failings in this scenario:
- Marriott are believed to have been aware of a vulnerability in the Starwood Hotel reservation database for four years - and yet took no corrective action. To make matters worse, dark web sources had been selling access to this database during this time.
- Payment information which was present in the database had been encrypted using AES 128-bit. However, Marriott conceded that components needed to decrypt this information may have been stolen also.
- Marriott was not using some form of value cleaning solution to prevent malicious code, such as an SQL injection [which is rumoured to be the cause in this case] being filtered out.
As a result, Marriott now faces a class action lawsuit from a number of guests affected; and are under investigation by Government data protection departments in various parts of the world. 2019 is likely to be an unenvious year for Marriott.
[You might also want to check out "What GDPR lessons can we learn from the Uber data breach?"]
3) MyHeritage - The Surprising Discovery of User Information
MyHeritage is a genealogy and DNA testing company based in Tel Aviv, Israel, whom in June 2018 disclosed that they had been contacted by a security researcher who informed them that a file containing over 92 million user records had been found on an external server.
It is reported that this file contains only usernames/email addresses and hashed passwords, which were stored separately at MyHeritage HQ. The advice from MyHeritage is that users should change their passwords at the earliest opportunity.
Without much information about the source of the breach, it is difficult to make clear recommendations. However, a couple of the following implementations should guarantee that MyHeritage are not the last to know, should this happen again:
- Database and other access restrictions, making it impossible to export the entire contents of a database or system.
- Logging and detection capabilities so that any anomalous or suspicious activity is picked up earlier. The file found by the security researcher is reported to be from 6-9 months before MyHeritage informed its customers of the breach.
- Multi-factor authentication for user accounts, so that if the passwords were ever revealed they would be far less useful to the person who possesses them.
Predictions Based on the Past
So there you have it.
My best predictions for 2019 are that we should correct the issues of 2018 first. Whether it be poor API security, a lack of vulnerability control or an inability to detect breaches. Your focus should be on securing the castle based on existing and proven attacks.
[You may also be interested to read "Mighty Amazon Cut Down in Black Friday Data Breach"]
There are very few innovative data or network breaches, most are known vulnerabilities with known solutions. It just depends on who is caught sleeping and who isn't.