Despite an overall increase in security investment over the past decade, organizations are still plagued by breaches. And we’re learning that most of the attacks that result in breaches misuse encryption in some way. Sadly, it’s often human error that allows attackers access to encrypted channels. Sure, an attacker can leverage “gifts” such as zero-day vulnerabilities to break into a system, but in most cases, their success involves provoking or capitalizing on human error.
Human error has a well-documented history of causing data breaches, so much so that in CompTIA's Trends in Information Security (2015), a majority of respondents (52 percent) from hundreds of companies located around the United States said it was the leading cause behind data breaches. More specifically, respondents for that study identified "end user failure to follow policies and procedures" and "general carelessness" as the top examples of human error.
I think it’s interesting to look at how both elements of human error have contributed to some of the largest data breaches ever recorded. I’ll share the publicly known causes and impacts of these breaches. But I’d also like to highlight how the misuse of encryption often compounds the effects of human error in each type of breach.
Here is a brief review of seven well-known mega-breaches.
eBay—Phishing attack stole credentials
In the late-spring of 2014, news first broke about a breach against the e-commerce website. An investigation later determined that a group of attackers leveraged phishing attacks to steal the credentials of as many as 100 eBay employees. They used that information to gain access to eBay's internal network, where they then exfiltrated the names, passwords, email addresses, physical addresses, and other personal information of 145 million customers. The attackers allegedly had unfettered access to eBay's systems for 229 days.
How encryption is abused in attacks like this: Once attackers have access to a network, they can install rogue or stolen certificates that allow them to hide exfiltration in encrypted traffic. Unless HTTPS inspection solutions have full access to all keys and certificates, rogue certificates will remain undetected.
Anthem—Used social engineering to gain privileged access
American health insurance company Anthem revealed in early-2015 that attackers obtained the personal information including names, social security numbers, addresses, and income data of both consumers and employees. The first sign of the attack came when one of Anthem's system administrators noticed someone had used his unique identifier code to initiate a database query. Many now believe the attackers responsible for the breach used social engineering techniques to steal the administrator's credentials and gain access to the health insurance company's network.
How encryption is abused in attacks like this: SSH keys grant privileged access to many internal systems. Often, these keys do not have expiration dates. And they are difficult to monitor. So, if SSH keys are revealed or compromised, attackers can use them to pivot freely within the network.
Impact: In total, 80 million customers were affected by the breach. There are no exact costs available for the incident as of this writing, though some in the healthcare industry estimate the total costs will surpass $31 billion USD.
Sony Pictures Entertainment—Phishing attack targeted executives
The 2014 breach against Sony Pictures Entertainment began when attackers sent many of Sony's top executives fake Apple ID verification emails. Each email led to a phishing site that stole a target's Apple credentials. In the hope that someone had reused their Apple ID information across multiple accounts, the hackers abused those usernames and passwords in conjunction with employees' LinkedIn profiles to guess their way onto Sony's network. Upon gaining access, the hackers used Wiper malware to cripple the company's computer networks and make off with 100 terabytes of data. The hackers, who the United States believes were working for North Korea, eventually posted much of that information online.
How encryption is abused in attacks like this: Many phishing attacks leverage wildcard or rogue certificates to create fake sites that appear to be authentic. Such increased sophistication is often required to target higher level executives.
JPMorgan Chase—Exploited lack of two-step verification
In the spring of 2014, hackers stole the login credentials for one of the employees at JPMorgan Chase, a leading global financial services firm. Those attackers then exploited an oversight—the bank's security had forgotten to implement two-step verification (2SV) on one of the network servers—to gain access to JPMorgan Chase's corporate network. Following that initial intrusion, the attackers moved laterally across the bank's network, gaining access to 90 servers in total. They didn't steal any sensitive financial information before they were detected and blocked in August, but they did succeed in making off with the names, addresses, phone numbers, email addresses, and other information of around 76 million households and approximately 7 million small businesses.
How encryption is abused in attacks like this: Using public key encryption and authentication in the two-step verification makes it harder to gain malicious access. Easy access to SSH keys stored on computers or servers makes it easier for attackers to pivot laterally within the organization.
Impact: JPMorgan Chase didn't report the cost of the breach. However, the bank did announce it would begin spending about $250 million annually on information security and employing 1,000 security professionals to prevent similar intrusions from happening in the future.
Target—Leveraged supplier vulnerabilities
On November 15, 2013, attackers broke into Target's network using network credentials stolen from Fazio Mechanical Services, a provider of refrigeration and HVAC systems. Two sources close to the investigation told information security journalist Brian Krebs the attackers used Citadel, a password-stealing malware which is a derivative of the ZeuS banking Trojan. That information could not be confirmed, however. After gaining access to the retailer's network, the attackers installed malware on the point-of-sale (POS) terminals at one of Target's stores. That malware facilitated the theft of 40 million credit- and debit-card records, as well as an additional 70 million customer records (including addresses and phone numbers).
How encryption is abused in attacks like this: An organization’s encryption is only as good as that of its entire vendor community. If organizations don’t control the keys and certificates that authenticate partner interactions, then they lose control of the encrypted tunnels that carry confidential information between companies.
Impact: Accounting for tax deductions and insurance reimbursement, the breach cost Target approximately $105 million.
Home Depot—Exploited weakness of third-party vendor
News first broke of the Home Depot breach on September 2, 2014. Similar to the case of Target, the actual intrusion began when a group of attackers used a third-party vendor's stolen username and password to enter the perimeter of the retailer's network. There, they elevated their privileges and deployed malware onto 7,500 self-checkout systems in the United States and Canada.
How encryption is abused in attacks like this: User names and passwords are a relatively weak way of securing private access. Plus, if an organization does not maintain complete control of the SSH keys that govern access for internal systems, or fail to pay attention to code signing, attackers have a better chance of gaining privileged access.
Impact: The attackers ultimately made off with 56 million customers' credit and debit card details as well as 53 million customers' email addresses. After an insurance reimbursement of $15 million, the breach cost Home Depot $28 million, or .01% of its sales in 2014.
Pentagon—Used spear-phishing attack
In July 2015, attackers used a spear-phishing attack that "exposed a new and different vulnerability" to hack the Pentagon's Joint Staff unclassified email system. The attack consisted of encrypted social media accounts for coordination as well as an "automated system that rapidly gathered massive amounts of data and within a minute distributed all the information to thousands of accounts on the Internet." Sources believe Russian attackers coordinated the attack, an assault which forced the Pentagon to shut down its email system for two weeks. Approximately 4,000 military and civilian personnel were affected by the outage.
How encryption is abused in attacks like this: If organizations are not monitoring the use of all the keys and certificates that are used in encryption, then attackers can use rogue or stolen keys to create illegitimate encrypted tunnels. Organizations will not be able to detect these malicious tunnels because they appear to be the same as other legitimate tunnels into and out of the organization.
Impact: The exact costs of repairing the email system are unknown.
Certainly, all of the above organizations were using encryption to protect their businesses. But human error can impact the success of even the strongest security strategies. Your best bet in preventing encryption from being misused in an attack on your organization is with an automated solution that allows you to maintain full visibility and control of your encryption assets. Automation will help you reduce the inherent risks of human error, as well as maintaining greater control over how you enforce security policies for all encrypted communications.