The Hard Cold Truth – Somebody Else’s Breach Could Become Your Problem

By Eric Milam ·

Did you read yesterday’s article in The New York Times about eBay’s breach? The piece stated that “Security experts warned that stolen information would make eBay customers easy targets for phishing attacks…” And then this morning, Businessweek reported that eBay assured users and stockholders that hackers gained no credit card numbers or other financial information. Businessweek also reported that the attackers gained access to a computer database that held the names, email addresses, street addresses, phone numbers and dates of birth of eBay users.

What did both articles fail to mention? This breach could potentially mean trouble for your organization.

How?

According to The New York Times, hackers gained access to the personal data of 145 million customers. That’s a lot of people. The large majority of those people work somewhere. Maybe they work for your company? If so, and if one of them is successfully phished – via corporate OR personal email address – and uses a corporate laptop to visit a site that includes successful code execution, anywhere that laptop goes is potentially at risk. Lots of bad stuff can happen from simply getting an email address.

Here’s how it could go down:

•  Attacker sends a phishing email to target.
•  Target takes the bait and clicks on a link.
•  Attacker gets remote execution – the computer opens a port and sends the attacker a way to interact directly with your system.
•  Attacker has bypassed firewalls, routers – you name the technology – and is inside your network.
•  Attacker can now see what other computers are out there, can get a stronger foothold, looks to escalate privileges and meets his objectives (security credit card data, competitive information, etc.).

Your job is to stop the consequences related to a successful phish, which tends to be malware proliferation in the environment with a goal of data exfiltration. Let’s be honest – at some point a system on your network is going to get infected. There’s no silver bullet that will enable you to avoid infection. But, proper network segmentation can help you drastically limit the infection rate. Here’s an example: if I’m in HR and there’s proper segmentation and I only have access to two servers and the Internet, the infection rate is limited to the level of access that I have. Network segmentation is really the difference between providing an attacker with limited access to systems and data, or giving them the ability to catapult across your moat, dragon and guards, right into your castle.

The truth is that most companies do a terrible job with segmentation, or just plain ignore the concept all together. That’s because it’s often a complete pain to figure out what type of segmentation is logical and appropriate. However, it’s important enough that we strongly recommend it in every single assessment we do.

Do you have a process set-up for proper notification and issue handling? If there is a large phishing attack on your organization and an employee calls the help desk, will they know what to research and how to prevent access? Can they assess what actually happened and if the network is now at risk? Being prepared makes a huge difference in how an attack impacts your organization.