Despite an overall increase in security investment over the past decade, organizations are still plagued by breaches. What’s more, we’re learning that many of the attacks that result in breaches misuse encryption in some way. (By comparison, just four percent of data breaches tracked by Gemalto’s Breach Level Index were “secure breaches” in that the use of encryption rendered stolen data useless).
Sadly, it’s often human error that allows attackers access to encrypted channels and sensitive information. Sure, an attacker can leverage “gifts” such as zero-day vulnerabilities to break into a system, but in most cases, their success involves provoking or capitalizing on human error.
Human error has a well-documented history of causing data breaches. According to a CybSafe analysis of data from the UK Information Commissioner’s Office (ICO), human error was the cause of approximately 90 percent of data breaches in 2019. This is up from 61% and 87% the previous two years. Meanwhile, Verizon’s 2019 Data Breach Investigations Report (DBIR) found error to be a causal event in 21 percent of breaches. Loss, misdelivery and other types of human-related errors also placed on Verizon’s top action varieties in incidents and breaches for the year.
I think it’s interesting to look at how human error has contributed to some of the latest data breaches. I’ll share the publicly known causes and impacts of these breaches. But I’d also like to highlight how the misuse of encryption often compounds the effects of human error in each type of breach.
Equifax — Expired certificates delayed breach detection
In the spring of 2017, the U.S. Department of Homeland Security's Computer Emergency Readiness Team (CERT) sent consumer credit reporting agency Equifax a notice about a vulnerability affecting certain versions of Apache Struts. According to former CEO Richard Smith, Equifax sent out a mass internal email about the flaw. The company’s IT security team should have used this email to fix the vulnerability, according to Smith’s testimony before the House Energy and Commerce Committee. But that didn’t happen. An automatic scan several days later also failed to identify the vulnerable version of Apache Struts. Plus, the device inspecting encrypted traffic was misconfigured because of a digital certificate that had expired ten months previously. Together, these oversights enabled a digital attacker to crack into Equifax’s system in mid-May and maintain their access until the end of July.
How encryption may become a factor in scenarios like this: Once attackers have access to a network, they can install rogue or stolen certificates that allow them to hide exfiltration in encrypted traffic. Unless HTTPS inspection solutions are available and have full access to all keys and certificates, rogue certificates will remain undetected.
Impact: The bad actor is thought to have exposed the personal information of 145 million people in the United States and more than 10 million UK citizens. In September 2018, the Information Commissioner’s Office issued Equifax a fine of £500,000, the maximum penalty amount allowed under the Data Protection Act 1998, for failing to protect the personal information of up to 15 million UK citizens during the data breach.
Ericsson — mobile services go dark when the certificate expires
At the beginning of December 2018, a digital certificate used by Swedish multinational networking and telecommunications company Ericsson for its SGSN–MME (Serving GPRS Support Node—Mobility Management Entity) software expired. This incident caused outages for customers of various UK mobile carriers including O2, GiffGaff, and Lyca Mobile. As a result, a total of 32 million people in the United Kingdom alone lost access to 4G and SMS on 6 December. Beyond the United Kingdom, the outage reached 11 countries including Japan.
How encryption may become a factor in scenarios like this
Expired certificates do not only cause high-impact downtime; they can also leave critical systems without protection. If a security system experiences a certificate outage, cybercriminals can take advantage of the temporary lack of availability to bypass the safeguards.
Impact: Ericsson restored the most affected customer services over the course of 6 December. The company also noted in a blog post that “The faulty software [for two versions of SGSN–MME] that has caused these issues is being decommissioned.”
LinkedIn—Millions miss connections when the certificate expires
On 30 November, a certificate used by business social networking giant LinkedIn for its country subdomains expired. As reported by The Register, the incident did not affect www.linkedin.com, as LinkedIn uses a separate certificate for that particular domain. But the event, which involved a certificate issued by DigiCert SHA2 Secure Server CA, did invalidate us.linkedin.com along with the social media giant’s other subdomains. As a result, millions of users were unable to log into LinkedIn for several hours.
How encryption may become a factor in scenarios like this: Whenever certificates expire, it may indicate that overall protection for machine identities is not up to par. Uncontrolled certificates are a prime target for cybercriminals who can use them to impersonate the company or gain illicit access.
Impact: Later in the afternoon on 30 November, LinkedIn deployed a new certificate that helped bring its subdomains back online, thereby restoring all users’ access to the site.
Strathmore College — Student records not adequately protected
In August 2018, it appears that an employee at Strathmore secondary college accidentally published more than 300 students’ records on the school’s intranet. These records included students' medical and mental health conditions such as Asperger’s, autism and ADHD. According to The Guardian, they also listed the exposed students’ medications along with any learning and behavioral difficulties. Overall, the records remained on Strathmore’s intranet for about a day. During that time, students and parents could have viewed and/or downloaded the information.
How encryption may become a factor in scenarios like this: Encrypting access to student records makes it difficult for anyone who doesn’t have the proper credentials to access them. Any information left unprotected by encryption can be accessed by any cybercriminals who penetrate your perimeter.
Impact: Strathmore’s principal said he had arranged professional development training for his staff to ensure they’re following best security practices. Meanwhile, Australia’s Department of Education announced that it would investigate what had caused the breach.
Veeam — Customer records compromised by unprotected database
Near the end of August 2018, the Shodan search engine indexed an Amazon-hosted IP. Bob Diachenko, director of cyber risk research at Hacken.io, came across the IP on 5 September and quickly determined that the IP resolved to a database left unprotected by the lack of a password. The exposed database contained 200 gigabytes worth of data belonging to Veeam, a backup and data recovery company. Among that data were customer records including names, email addresses and some IP addresses.
How encryption may become a factor in scenarios like this: User names and passwords are a relatively weak way of securing private access. Plus, if an organization does not maintain complete control of the private keys that govern access for internal systems, attackers have a better chance of gaining access.
Impact: Within three hours of learning about the exposure, Veeam took the server offline. The company also reassured TechCrunch that it would “conduct a deeper investigation and… take appropriate actions based on our findings.”
Marine Corps — unencrypted email misfires
At the beginning of 2018, the Defense Travel System (DTS) of the United States Department of Defense (DOD) sent out an unencrypted email with an attachment to the wrong distribution list. The email, which the DTS sent within the usmc.mil official unclassified Marine domain but also to some civilian accounts, exposed the personal information of approximately 21,500 Marines, sailors and civilians. Per Marine Corp Times, the data included victims’ bank account numbers, truncated Social Security Numbers and emergency contact information.
How encryption may become a factor in scenarios like this: If organizations are not using proper encryption, cybercriminals can insert themselves between two email servers to intercept and read the email. Sending private personal identity information over unencrypted channels essentially becomes an open invitation to cybercriminals.
Impact: Upon learning of the breach, the Marines implemented email recall procedures to limit the number of email accounts that would receive the email. They also expressed their intention to implement additional security measures going forward.
Pennsylvania Department of Education — misassigned permissions
In February 2018, an employee in Pennsylvania’s Office of Administration committed an error that subsequently affected the state’s Teacher Information Management System (TIMS). As reported by PennLive, the incident temporarily enabled individuals who logged into TIMS to access personal information belonging to other users including teachers, school districts and Department of Education staff. In all, the security event is believed to have affected as many as 360,000 current and retired teachers.
How encryption may become a factor in scenarios like this: If you do not know who’s accessing your organization’s information, then you’ll never know if it’s being accessed by cybercriminals. Encrypting access to vital information and carefully managing the identities of the machines that house it will help you control access.
Impact: Pennsylvania’s Department of Education subsequently sent out notice letters informing victims that the incident might have exposed their personal information including their Social Security Numbers. It also offered a free one-year subscription for credit monitoring and identity protection services to affected individuals.
Human error can impact the success of even the strongest security strategies. As the above attacks illustrate, this can happen in numerous ways. Here are just a few:
SSH keys grant privileged access to many internal systems. Often, these keys do not have expiration dates. And they are difficult to monitor. So, if SSH keys are revealed or compromised, attackers can use them to pivot freely within the network.
Many phishing attacks leverage wildcard or rogue certificates to create fake sites that appear to be authentic. Such increased sophistication is often required to target higher-level executives.
Using public-key encryption and authentication in the two-step verification makes it harder to gain malicious access. Easy access to SSH keys stored on computers or servers makes it easier for attackers to pivot laterally within the organization.
An organization’s encryption is only as good as that of its entire vendor community. If organizations don’t control the keys and certificates that authenticate partner interactions, then they lose control of the encrypted tunnels that carry confidential information between companies.
If organizations are not monitoring the use of all the keys and certificates that are used in encryption, then attackers can use rogue or stolen keys to create illegitimate encrypted tunnels. Organizations will not be able to detect these malicious tunnels because they appear to be the same as other legitimate tunnels into and out of the organization.
Training your users about the importance of machine identities will help reduce user errors. And advances in AI and RPA will also play a factor in the future. But for now, your best bet in preventing encryption from being misused in an attack on your organization is an automated machine identity management solution that allows you to maintain full visibility and control of your machine identities. Automation will help you reduce the inherent risks of human error as well as maintain greater control over how you enforce security policies for all encrypted communications.