This article originally appeared on June 24, 2019 in Information Security Buzz.
Usman Rahim, Digital Security and Operations Manager at The Media Trust:
“HTTPS as a security defense was more effective when websites ran mostly owned and operated code. That has changed. Now that third party code predominates such sites, most code on a website runs outside of the owner’s IT perimeter. This means, the activities of visitors of an encrypted site are visible to third and Nth parties. And since those third/Nth parties tend to have weak security defenses and are popular attack targets, they make visitors all the more vulnerable to snooping, theft, and fraud.”
Corin Imai, Senior Security Advisor at DomainTools:
“These figures are not surprising: if criminals are willing to design an entire website to look like another, they’ll be likely to go the extra mile and purchase an https certification to make it look even more legit. HTTPS secure protocols, in fact, can be purchased online for the modicum price of around $50.
To ensure that the general public was informed of the risks, the FBI issued a warning earlier this month inviting citizens not to use a padlock on an address bar as a benchmark for the security of the website they are visiting. This, in addition to typing URLS of websites holding sensitive data, rather than accessing them from a link received via email, is among the best practices that all organisations should train their workforce on: reversing the phishing trend will only possible through a collective effort to spread information.”
Tyler Owen, Director of Solution Engineering at CipherCloud:
“Insider attacks are some of the hardest to detect with traditional security defenses, which focus on the perimeter of the network to protect against external bad actors, but do little to protect the soft insides against insider threats, where all the good data lies. The insiders have all the access they need to gather whatever data they want. Had a User and Entity Behavioral Analysis solution been leveraged, it likely would have detected this breach before the employee could gather 2.9 millions records.
This highlights a paradigm shift that needs to occur with security organizations where the crown jewels are the data, not the assets themselves. Once organizations begin to focus on the data, more than the locations where the data sits, they will become secure. Had this data been encrypted with technology that prevented the data to be exported in a clear text, unencrypted format, 2.7 million Canadian citizens would not have their data out on the internet now. Ben Franklin’s quote, “An ounce of prevention is worth a pound of cure” rings as true today as when he said it. The technology that would have prevented this breach is certainly cheaper than the cost of credit monitoring and the reputation hit Desjardins will take.”
Colin Bastable, CEO at Lucy Security:
“The bank said it fired the employee after learning of the incident from Quebec police last week. I was going to say “the Mounties always get their man”, but the Mounties operate only at a Federal level in Quebec.
So Desjardins’ security systems, policies and procedures did not alert them even after the event. How embarrassing. Thank heavens for the Thin Blue Line. Perhaps the employee was planted – there have been a series of similar inside jobs at UK banks recently. The credit monitoring agencies will be excited – money for old rope.
The knowhow and technology to prevent this sort of nonsense has existed for years, but apparently the desire is widely lacking.”
Ben Goodman, Senior Vice President, Global Business and Corporate Development, ForgeRock:
“Data theft and cyber-attacks represent the number four and five global risks facing organizations across every vertical according to the World Economic Forum’s 2019 Global Risks Report. The security breach at Desjardins by a now former employee further exemplifies the need for access management internally, inside of traditional firewalls. By focusing security access on individual identity and their role within an organization, unauthorized access by an employee can be mitigated and prevent malicious internal breaches as Desjardins experienced.
While organizations hold their employees to a higher standard, they must utilize security measures to protect themselves from internal attacks, as well as external. This is where the notion of ‘Zero Trust’ comes into play – securing interactions for everyone. Leveraging the same security measures internally, as well as externally, ensures organizations they are protected from malicious activities, no matter where they originate.”
Robert Ramsden-Board, VP of EMEA at Securonix:
“This is a good example of how devastating insider threats can be for organisations. One of the key challenges organisations face when detecting insider threats is trying to establish if the person accessing and extracting the data is doing this as part of their job, or with malicious intent. This is likely why Desjardins was only made aware of the breach after a warning from law enforcement officials.
Today there are tools which banks and other organisations are recommended to deploy to help identify insider threats before any real damage occurs. These tools utilise machine learning to understand user behaviour and alert security teams when abnormal user activity occurs.
Insider threats often get a lower level of attention and priority, however this incident demonstrates the consequences of such attacks can be significant. As a result, organisations are advised to give these types of attacks a bigger focus.”
lia Kolochenko, Founder and CEO at ImmuniWeb:
“When just one employee, reportedly acting without acolytes, has an uncontrollable access to such a huge amount of confidential data and even manages to take it away, there is reason to believe that some of the internal security controls are broken. Human factor remains the largest and probably the most dangerous risk than cannot be fully remediated. Most companies considerably underestimate human risk and then face disastrous consequences.
Employee awareness and continuous education programs, as well as properly implemented internal security controls, can greatly reduce risk of human mistake and ruin even the most sophisticated phishing attacks. However, a malicious employee is a much more complicated case. First of all, security teams are already overloaded with tasks, processes and endless alerts, and therefore frequently disregard incidents caused by presumably trusted colleagues. Worse, some of the employee’s malicious activity is technically undistinguishable from the legitimate daily work. Nonetheless, major incidents akin to this one, are usually easily detectable and preventable.”