igor - Fotolia
The data breach at mobile operator Three highlights several key and topical security issues, according to information security education, certification and professional development organisation (ISC)2.
“With all the breaches being reported, we should be seeing organisations taking steps to protect their customers and IT-enabled operations,” said Adrian Davis, European managing director for (ISC)2.
The next issue the breach highlights is that organisations still do not understand the importance of managing access to IT systems.
“The Three hackers reportedly used authorised login information to access customer information, which underlines the importance of managing, controlling and monitoring staff access – especially privileged, admin or super user accounts – for suspicious or anomalous activity,” said Davis.
This also highlights the need for cyber risk to be viewed as a business risk. “A widespread lack of understanding of this type of risk means that many businesses continue to build, buy or use their IT without security of their information in mind, thereby setting themselves up for something to go wrong,” said Davis.
Next, the Three breach highlights the need for a significantly larger pool of cyber security professionals as well as cyber security-aware business leaders, according to (ISC)2.
Read more about the insider threat
- Insider threats have been around for a long time, but it is only recently that people have begun to acknowledge the true dangers they pose.
- Most organisations in Europe rely on outdated security technologies, exposing them to breaches by malicious or hapless insiders, a report reveals.
- Malicious employees are usually the focus of insider threat protection efforts, but accidents and negligence are often overlooked data security threats.
- This report from analyst group Quocirca looks at the challenges faced by organisations when it comes to the insider threat and the protection of sensitive information.
“There is a need for greater cyber security awareness and capability in organisations so that the risks, impacts and costs can be properly evaluated and organisations can manage their total risk – including cyber risk – better.
“Our economy is now a digital economy, and we need cyber security skills and knowledge to be as widely diffused as possible,” said Davis.
“We must also ensure that evidence and data is collected to help catch and prosecute criminals, as well as help improve an organisation’s cyber security posture,” he said.
Imperative to take cyber security more seriously
According to Davis, it is imperative for organisations to take cyber security more seriously because they risk losing the trust of their customers and destroying any faith in online services.
“With breaches such as those at FriendFinder Networks and Three being reported in a single week, as well as the NIS [Network and Information Systems] Directive and GDPR [General Data Protection Regulation] set to increase data breach notifications, there is a risk that people will feel their data isn’t safe and secure online, which seems counterproductive,” he said.
Davis said the breaches highlight the need to break the “myth of the hacker”. “It is not glamorous, it is not productive and it is very destructive.
“We need to get a message across that being on the side of those who are part of the cyber security profession is a much better thing to be in terms of long-term financial security and job prospects, socially and culturally,” he said.
News of the Three breach has resulted in a lot of comment from security suppliers, mostly focusing on the issue of the insider threat and the related problem of stolen credentials.
Stephen Gates, chief research intelligence analyst at NSFocus, said the breach is yet another example of lackadaisical security controls.
“The first question is how the hackers gained access to an employee’s credentials in the first place, and why there wasn’t two-factor authentication enforced for every employee,” he said. “If so, this hack would have never taken place.
“A little inconvenience for employees logging in would have likely saved hundreds of thousands of pounds in fines. In this case, an ounce of prevention would have been much less than the pounds of the cure they’ll likely have to consume.”
The importance of multi-factor authentication
Multi-factor authentication, where an entered password is combined with other authentication methods such as acknowledging a notification on your phone, can be used to stop the use of stolen credentials, according to Barry Scott, European CTO at security firm Centrify.
“In addition, full session recording acts both as a strong deterrent to insider threats and a great tool for forensic analysis,” he said.
In the light of this breach, all businesses should ask themselves whether they would be able to identify if an apparently legitimate database access was in fact fraudulent, said Dave Palmer, director of technology at Darktrace.
“We are increasingly seeing wily hackers using employee logins to disguise themselves on the network and carry out attacks from the inside undetected. This highlights how even organisations that have deployed standard security systems can no longer assume they are safe.
“To avoid a cyber crisis, organisations large and small need to adopt new technologies that identify unusual behaviours within their borders early, no matter how subtle and discrete,” he said.
Three scam required little skill
Ross Brewer, vice-president and managing director for Europe at LogRhythm, said the Three upgrade scam required very little skill. “Once the login details were obtained – whether they were stolen or came from within the company – the hackers likely had free reign to access Three’s network without raising any red flags.
“As more personal data floods the internet from previous data breaches, the chances are that we will see further small-time criminals getting their hands on credentials that could give them access to far more valuable information, or, in this case, sought-after mobile devices,” he said.
“Attacks using stolen credentials are becoming increasingly common, and it is important that as well as focusing on protecting themselves from well-known external attacks, businesses address those that come from within, whether they are malicious or not.
Businesses can no longer rely solely on traditional perimeter tools, said Brewer, which will not detect a “seemingly normal” login attempt.
“This is why security intelligence is so important. By continuously monitoring network activity, businesses can identify unusual behaviour that can point towards unauthorised access instantly,” he said.
“It is the responsibility of companies such as Three to protect their customers from every kind of threat, and only by having full visibility and insight into who is accessing their data can businesses ensure that every individual logging into their network is legitimate.”