September 28, 2017 by Rodolfo Melgoza
This week, Deloitte, one of the world’s largest accounting firms, and one that provides security consulting services to others, fell victim to a data breach of its own.
According to TheRegister, what seemed to be a collection of Deloitte’s corporate VPN passwords, user names, and operational details, were recently found on a public-facing GitHub-hosted repository.
It appears that a Deloitte employee uploaded company proxy login credentials and other sensitive data to his public Google+ page. According to TheRegister, the information was there for over six months. Hackers, apparently used the compromised login credentials to access the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”. Thus armed, it was easy for the cybercriminals to access sensitive information systems and steal data.
While we don’t want to condone or downplay the severity of the incident, it reminds us, once again, that even very good, security-conscience organizations can suffer a data breach. The simple fact is that although we don’t yet know the particulars regarding the employee or employees involved in the Deloitte incident, we do know that employees are human, and humans are subject to mistakes, and even criminal activity. Sensitive data is accidentally transmitted, security settings are misconfigured, policies are violated. Unless the organization has a way to detect these common deviations, it’s almost guaranteed that they will suffer a breach.
What’s interesting about this case is that the incident wasn’t detected for some time. That of course is typical for most organizations, but it seems odd that Deloitte, one of the world’s largest security consultancies, apparently didn’t have UEBA (User and Entity Behavior Analytics) tools in place to detect this anomalous user behavior.
A quality UEBA system would have created a baseline of normal behavior, and detected the anomalies that occurred in this situation. Ideally, it would have detected the initial uploading of user names and passwords, especially to a non-company and public repository. But even if the system missed that transaction (or is was not responded to by security staff), a UEBA system would have almost assuredly detected the hacker’s anomalous use of the administrator accounts. The hacker’s unknown machines, accessing sensitive systems, from anomalous locations would have been easily detected—probably at the first occurrence.
Hopefully we can all learn a lesson from this unfortunate incident. Even good companies will experience a data breach if they don’t have a quality UEBA system in place to detect anomalous behavior.
Learn more about how Fortscale’s UEBA’s solutions can guard against inappropriate employee actions.