For this week’s “In the News”, research a recent article, providing the link to the article, that describes an incident that impacted an organization.
- How was the impact worse or reduced because of their Incident Response Program?
- What were the strengths of their Incident Response Program?
Scott Radaszkiewicz says
Aircraft Parts Maker ASCO Severely Hit by Ransomware
https://www.securityweek.com/aircraft-parts-maker-asco-severely-hit-ransomware
https://www.scmagazine.com/home/security-news/ransomware/asco-industries-confirms-ransomware-attack/
ASCO, is a Belgium based aircraft parts maker. In June of 2019, ASCO’s infrastructure was hit with an unidentified piece of ransomware. Since the infection, the company has struggled to restore normal operations. The infection has disrupted the companies ability to supply their products to customers, and nearly 1,000 employees have been placed on leave because of the situation.
It would seem that ASCO did not have a solid disaster recovery plan in place to account for this situation. If the attack was ransomware, then one could assume that some or all of ASCO’s data is encrypted. Since operations have come to a halt, it is easily deduced that ASCO, at this point, is unable to restore to a normal operations mode and continue business. There is not much information to provide any further details, but this is a catastrophic lose.
Brock Donnelly says
From my readings on ransomware attacks and their effects on government institutions is that they are going t=o reverse engineering the solution. Paying the ransom ware will not guarantee they will decrypt your files. Once you have the hackers attention with functional money they could ask for another ransom or more money. The only way to combat the ransom attack is to deal with it and never pay a ransom much to the way the US doesn’t negotiate ransoms.
Elizabeth V Calise says
Revealed: Marriott’s 500 Million Hack Came After A String Of Security Breaches
In December 2018, Marriott revealed a massive hack that led to the theft of personal data of 50 million customers of its Starwood hotels.
However, some people were not surprised by this reveal. Prior to the four-year-old breach being discovered, Marriott suffered at least one previously unreported hack, including an infection that hit the company’s own cyber-incident response team. The Computer Incident Response Team was compromised due to a mistake by a contracted cybersecurity vendor that was supposed to be protecting the hotel giant. According to sources, SecureWorks, a cybersecurity provider once owned by Dell, was the vendor.
Supposedly, the breach saw a contracted analyst download a malware sample for analysis. The malicious software ended up getting access to Marriot’s internal email. There also has been evidence that Russian cybercriminals have breached Starwood Web servers.
Marriott’s security is now facing probes from multiple government bodies, including the New York Attorney General’s office. European regulators are also looking into the incident. From this article, there are a series of security horror stories.
https://www.forbes.com/sites/thomasbrewster/2018/12/03/revealed-marriotts-500-million-hack-came-after-a-string-of-security-breaches/#4961f96d546f
How was the impact worse or reduced because of their Incident Response Program?
Based on this article, the impact was worse because their Incident Response Team was hacked. Ones who are responsible for the plan, were also hacked during the breach. It can’t help but make Marriott employees and customers lose faith or decrease Marriott’s reputation. It causes questioning and concerns globally due to how large this company is and its presence around the world.
What were the strengths of their Incident Response Program?
In this article, not many strengths are demonstrated, but the article does not bring up weaknesses earlier. Due to the number of breaches, sources and evidence, Marriott has experienced a number of security horrors. These security horros demonstrate weakness in the corporation.
Dima Dabbas says
Elizabeth,
Great share! It is very scary that the actual incident response plan got hacked as well which gets me thinking then that there would be delays since the attack happened to the internal team and not just to the customers. It also raises concerns of whether they will actually be able to recover fully from these attacks. Again, Marriot did not report on a previous incident to the public. This gets me thinking, should they or should they not? Since Marriot deals with personal data, I feel like it owes it to the public to let them know when these events occur but at the same time this will definitely impact its reputation. This all just gets you thinking.
Ahmed A. Alkaysi says
Thanks for sharing Elizabeth, third party vendor management is extremely important to incorporate in any information security plan. The organization should request to view SOC 2 reports annually and also include certain obligations in the contract such as the right to audit, and network segmentation, which could have mitigated this type of attack.
Sheena L. Thomas says
Great Read Elizabeth. the incident response team was hacked?!?!?! that’s bizarre, but interesting. Us as Security Professionals have to be extra careful not to but the to cause the breach or make a bad situation worse. Great Article.
Dima Dabbas says
Uber Announces New Data Breach Affecting 57 Million Riders and Drivers
https://us.norton.com/internetsecurity-emerging-threats-uber-breach-57-million.html
This article discusses how Uber was under a data breach that disclosed personal information of 57 million drivers and riders. It doesn’t seem that Uber had a great incident response program in place as they chose to keep this away from the public. The data breach happened in late 2016 but the company did not announce it till the next year. People should be aware when their personal information is stolen especially in the case of a large data breach like this. According to Uber, there were forensic experts that believe that the only information that was downloaded was names, emails and phone numbers. It doesn’t seem like Uber had a plan that incidents can happen and to respond immediately. There is still no clear evidence of what was stolen, the public were not notified till a later time and the reason behind the incident was that the two hackers were able to access a third party cloud based services that Uber uses.
Having a strong incident response program in place enables organizations to respond and recover immediately from incidents. The public should be aware of incidents like this so they know that their information may have been disclosed to outside resources.
Elizabeth V Calise says
Dima,
I agree with you that Uber could have potentially lacked in an Incident Response Team and it could have had a weak plan in place for when responding to attacks. However, my thoughts were going in another direction when you mentioned “It doesn’t seem that Uber had a great incident response program in place as they chose to keep this away from the public..” A lot of companies have been hacked and didn’t tell the customers till a few years later. Does this mean all those companies have a weak Incidenct Response Plan or is soemthing else? I guess you could say all those companies had a plan but it was not good enough.
Is it possible to have a decent reponse program but still receieve the worst impact possible? If so, are companies not sharing because of the fear of damaging reputation, recieveing penalities, etc. If so, it is still not a good excuse to not tell customers.
Your post just got me thinking that can it happen that a company has a good Incident Response Team with a strong plan but still somene hacks the company sucessfully? Maybe then they don’t share the hack due to other fears. I have never been on an Incident Response Team or contributed to coming up with a plan – soem random thoughts I had after reading your post
Brock Donnelly says
https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
Kazakhstan Begins Intercepting HTTPS Internet Traffic Of All Citizens Forcefully
While I was unable to find a news article related to this weeks topic I did find one that everyone in this class should read. Kazakhstan made only known to me due to the movie Borat, is forcing their citizens to install their Governmental root certificate enabling Kazakhstan to intercept all their HTTPS and TLS traffic. As usual of sinister things, Kazakhstan is stating this is in their citizens best interest. They are forcing their ISPs to corporate. Instructions are available to Kazakhstan citizens and anyone who does not follow these instructions will not make connections. Kazakhstan just turned into a deep surveillance state. The dumbest bit is citizens have to get their certificate from non-HTPPS sites leaving vulnerabilities where hackers could easily replace the certificate with their own. I guess if you want to get on the internet in Kazakhstan no matter who it is, there is going to be a man-in-the-middle for all your secure connections.
Ahmed A. Alkaysi says
Not surprising where regulations and information security are probably not at the top of their priority list. It’s unfortunate that the people will have to comply or else unable to access the internet. It is mind boggling that they have to get certificate from non secured site.
Duy Nguyen says
https://thehackernews.com/2019/07/siemens-logic-bomb.html
Former Siemens contractor pledged guilty to coding in a logic bomb that crashes the application every couple of years. According to the Federal Government, David Tinley did this without the knowledge of Siemens and his actions were intentional. These glitches were created so that once the logic bombs crash the application; he would be called back and paid to fix the issues. It was clear that there was no implemented process for documentation of incidents or maintenance since he was able to run these codes for years without any checks. Tinley was finally caught once he was forced to hand over administrator passwords to Siemens employees in order to unlock the spreadsheets. He was sentenced Nov 8 2018.
Brock Donnelly says
Wow this could have gone on for years. While this was a coincidence the problem was sort of discovered through vacation policy and or job rotation like controls. If the contractor wasn’t on vacation when his bomb went off he might have been able to get away with this for much longer. Let that be a lesson to you, if you plan to make logic bombs, make sure your vacation calendar is synced with your detonation date, otherwise you might be forced to resolve the issue by “showing your hand” so the solution can carry on without you.
Sheena L. Thomas says
Wow, that’s shady! Clever, but shady. This story is similar to the folks who repave the roads, they purposely put down crappy material on the roads, so they can be called back to repave the roads every 2-3 years. Talk about Job security at it’s highest level!?!?!?! Great story, thanks.
Folake Stella Alabede says
Bank of Chile trading down after hackers rob millions in cyberattack
The bank had an incident response plan, such that after the hackers had initially used a virus as a distraction, the bank moved in to disconnect 9,000 computers in branches across the country to protect customer account. The hackers also quietly used the global SWIFT bank messaging service to initiate a series of fraudulent transactions that were eventually spotted by the bank and canceled but not before millions were funneled to accounts abroad.
I would say the impact was worsened as Shares in the Bank of Chile, which is controlled by the Chilean Luksic family and Citigroup, were down 0.47 percent at 100.4 Chilean pesos ($.16) during the mid-day trading after the incident.
https://www.reuters.com/article/us-chile-banks-cyberattack/bank-of-chile-trading-down-after-hackers-rob-millions-in-cyberattack-idUSKBN1J72FC
Ahmed A. Alkaysi says
It’s interesting that the attackers used the virus as a distraction in order to quietly use the SWIFT messaging system for their nefarious activities. I think the incident response plan should take multiple scenarios into account.
Elizabeth V Calise says
Stella,
This was an interesting read and very unforunate for the bank. It seems that hackers tend to target the countires who are not the most strongest overall (chile, mexico.). I am not even sure to say that they had any incident repsonse plan in place. Not sure if they have the right people who think outside the box. When it comes to hiring cyber security employees, I think you want some that can think like hacker. I think those types of employees can really help develop plans for various scenarios.
Ahmed A. Alkaysi says
A report by IBM says that although the cost of data breaches continues to rise across the healthcare industry, organizations with an incident response plan had $1.23 million less cost than those that didn’t. The report stated that having an incident response plan should be too priority among the c-suite. The majority of organizations evaluated in the report did not have a comprehensive plan. Instead they utilized an ad-hoc or siloed approach.
https://www.healthcareitnews.com/news/data-breach-costs-continue-rise-across-healthcare-industry
Brock Donnelly says
This is an amazing significant savings. Less then $1.5 million is quite a lot to any business. That amount alone could save multiple IT jobs. I feel that we are heading to a time where we are going to see more steep fines for incompetent companies that suffer from breaches. Something like the GDPR for the US should help the c-suite realize that security is no joke.
Oby Okereke says
iNSYNQ Cloud Hosting Provider Hit by Ransomware Attack – 7/16/2019
—————————————————————————————————————–
Highlights:
– Pioneer customized desktop as a service provider (Daas) for mostly accounting applications
– Provides scalable desktop applications through innovative cloud solutions
– Experienced a ransomware attack on 7/16/19 perpetrated by unknown malicious attackers
– Customer were files encrypted
– Clients unable to access data
– INSYNQ Incident response team took quick steps to catch and contain the attack at the nick of time
– Precautionary measures taken to contain the incident as soon as it identified the cyber-attack by turning
off some servers in its data center.
– Launched effort to protect client data and backups
– Communication plan activated to notify customers thereby preventing a flood of calls to help desk team
– Hired Cybersecurity leading experts to assist with the recovery effort
– Further investigation would appear that iNSYNQ lacked a data backup strategy and apparently did not have the proper architecture in place for a cloud service provider hosting this many customer.
– Lack of proper incident response program has resulted in a longer recovery time thereby extending the system downtime
– On notable strength in the incident response plan was the fact that the incident was discovered on time thereby limiting its impact
https://www.bleepingcomputer.com/news/security/insynq-cloud-hosting-provider-hit-by-ransomware-attack/
Ahmed A. Alkaysi says
To be honest, although you said that they had a lack of incidence response program, it looks like they were still able to take all the necessary steps in the recovery. They were able to contain the attack, take precautionary action, backed up the data, and had a communication plan in place to notify relevant parties. To me it seems they had a pretty solid incident response program.
Oby Okereke says
Hi Ahmed,
Yes indeed, I have to agree with you—- Perhaps one could argue they lack a business continuity recovery plan hence the continued recovery mode status. Thank you for catching that salient point.
Jonathan Duani says
I think even though this article is old. There is so much more to be learned from this and it’s a great example of the incident response process and where it went wrong. I article listed before really explains the aftermath multiple years later from this breach. It explains that the people who orchestrated the breach got 14 years in prison it shows that the fed are really getting serious about this.
Source: https://www.washingtonpost.com/local/public-safety/hacker-linked-to-target-data-breach-gets-14-years-in-prison/2018/09/21/839fd6b0-bd17-11e8-b7d2-0773aa1e33da_story.html?noredirect=on&utm_term=.0008531c248d
Brock Donnelly says
This article seems to carry with it both side of the argument. At the beginning they slam Bondars as the criminal but at the end it leaves him seeming like the victim. Bondars created a program to scan and hackers used it to gain more knowledge on Targets system which lead to the famous breach. Portions of this sentence based solely on this article have me questions this verdict. Based on the writing it doesn’t seem much different then using Nmap. I guess it is all in the intentions.
Steve Pote says
“mens rea”
Steve Pote says
State and local governments have been the target of terrifying numbers of breaches. It is actually difficult to find a headline that ends as anything but a grave warning and no clear direction on what to do next. ~The way we used to do it – paper and physical clerical work~ is the only plan when no other plan is in place.
The National Cyber Incident Response Plan is two years old. All States have IRP’s but based on this report we have more paper forms coming…
“Fifteen states have made their cyber disruption response plans public, and several more have plans that are kept under wraps, said Michael Garcia, an NGA senior cybersecurity and homeland security analyst. But most of the publicly disclosed plans date from before the federal government’s 2016 implementation of the National Cyber Incident Reporting Plan, which lays out how a major cyberattack would be dealt with, including roles for state and local governments; just four states — Arizona, Connecticut, South Carolina and Wisconsin — wrote their plans after the NCIRP was released.”
https://statescoop.com/state-cyber-disruption-response-plans-nga-report/
https://www.us-cert.gov/ncirp
Sheena L. Thomas says
American Medical Collection Agency had to file bankruptcy behind their security breach. Millions of customers from Both Quest Diagnostics and Labcorp were affected by this breach. Labcorp stated ” 200,000 customers who paid LabCorp bills using AMCA’s web portal had their payment card information compromised, the LabCorp continued. According to the SEC filing, AMCA did not share the identities of these particular victims, but assured the diagnostics company that it had already begun to notify these individuals, and would offer them two years of identity protection and credit monitoring services.” Now my question is if they are now bankrupt are they going to continue to offer identity protection to the victims?? should LabCorp and Quest Diagnostics be response for anything because it’s their customer data that was affected. Obviously, AMCAs Incident Response Plan was activated in the beginning of the breach but they slowly realized the affects of the breach cost more than they could afford to payout. Even with an incident response play, the breach was too significant for AMCA to handle.
https://krebsonsecurity.com/tag/american-medical-collection-agency/
https://www.scmagazine.com/home/security-news/data-breach/7-7-million-labcorp-patients-affected-by-same-breach-that-impacted-quest-diagnostics/