Information Security LapsesTop 10 Security Breaches

Kyle ChaseRevati Kailasam

Kelly Walker

Information Security Lapses

Since 2005, more than 3,000 data breaches have been reported.

Over 545 million records compromised as a result of these data breaches.

-Privacy Rights Clearinghouse

Top 10 Information Security Failures in Recent History

What happened? ◦A summary of the breach

How did it happen?◦Attack Methods◦Control Failures

How could it be prevented or minimized?◦Preventative IT security

Financial Impact◦Cost of the breach

TJX (2005)

Parent company of TJ Maxx, Marshalls, Home Goods, and more

Reported data breach potentially affecting thousands of consumers

Masterminded by Albert GonzalezHackers gained access via store wireless networks

◦Outdated WEP securityGained access to corporate servers housing

sensitive information◦Including CC Information

TJX (2005)

PCI compliance issues◦In compliance with only 3 of 12 standards◦Failure to upgrade systems in timely manner

Too much information stored◦CC #s, PINs, CVV #s

Lack of encryptionLack of fraud detection

◦Breach lasted 18 monthsResult: 45.7 Million credit card numbers

stolen

AOL (2006)

Intentionally released search logs◦Contained-

SSN’s Bank account information Demographic information

Exposed 650,000 users to identity theftIT Security/Control IssuesViolation of Electronic Communications

Privacy ActLawsuits averaged $5,000 per victim

7-Eleven (2007)

Links to TJX Case◦Albert Gonzalez – connected to cases involving TJX,

Heartland, Hannaford, 7-ElevenSQL injection attack to access ATM and Point of Sale

systemsInjected malware to intercept user inputs in real-time

◦Also were able to access historical data◦PINs stolen in electronic transmission

$2 million in damagesBetter encryption and fraud detection systems could

have decreased the loss

Sony (2011)

Already bad reputation for protecting consumer data◦ Rootkit Incident

Reported breach to PlayStation Network and Qriocity music service◦ Immediate shutdown of the PlayStation Network

Affected:◦ 77 million PlayStation Network users◦ 25.4 million Sony Online Entertainment users

Released:◦ Customer Names◦ Addresses◦ Email◦ Log-Ons◦ Credit card information

Sony (2011)

Access to system administrator PC containing sensitive information◦Malicious Email to gain access◦Masked by Anonymous DDOS attack

Slowed Fraud Detection Anonymous denies involvement

“Sony probably did not pay enough attention to security when it was developing the software that runs its network.” – Reuters

Monster.com (2007)

Monster was created in 1999

Monster.com is one of the largest employment website in the

world

Hackers broke the password protected resume library

Information from 1.3 million users were stolen

Information stolen were limited to names, addresses, phone

numbers and email addresses

Monster.com (2007)

Hackers sent phishing emails and made extortion based

threat

Monster waited five days to inform it’s users about the

security breach

Monster put a notice on its website and also posted letters

to the affected users about the breach

As per monster the estimated cost for upgrading it’s site

was 80 million

Epsilon (2011)

Epsilon created in 1969, is the world’s largest permission based

email marketing service company

Epsilon has more than 2400 A-list clients and sends more then

40 billion emails annually on behalf of its clients

On march 30, 2011 epsilon detected “ an unauthorized entry”

into its email system

Nearly 75 of Epsilon’s clients were affected

60 million email addresses were stolen

Data compromised were limited to email addresses and names

Epsilon (2011)

Some of the clients under attack were financial

institutions; (Capital One, US Bank, JPMorgan Chase, Citi

and Barclays Bank of Delaware) retail chains (best buy,

Home Shopping Network, Walgreens, Brookstone, New

York & Company and Kroger, TiVo), hotel chains (Ritz-

Carlton Rewards and Marriott Rewards), McKinsey, The

College Board, Disney Destinations and many more.

Epsilon (2011)

Hackers sent spam and phishing emails to the victims of

breach

Epsilon reported about the breach on April 01, 2011 to both

customers and clients

Epsilon announced that it was going to enhance its data

security system

Epsilon could have faced a price tag as high as 4 billion for

data breach

Operation shady RAT (2009-2011)

In 2009 McAfee client , a U.S. defense contractor,

identified suspicious programs running on its network

Forensic investigation revealed that a spear phishing

email containing a link to web page that when clicked

automatically downloaded a remote access tool or

“RAT” onto the victim’s computer

McAfee while investigating command-and-control

operation in 2009 discovered about the cyber

espionage “operation shady RAT”

Operation shady RAT (2009-2011)

McAfee traced the activity back to 2006

The widespread cyber-espionage campaign dubbed

“Operation shady RAT” infiltrated the computer

systems for national governments, global corporations,

non profit and other organizations

Fourteen countries were victims

Forty nine of the seventy two organizations

compromised were from United States

Operation shady RAT (2009-2011)

Data compromised were email archives, sensitive corporate

documents and other intellectual property

McAfee is working closely with U.S. government agencies,

law enforcement and others in hopes of eventually shutting

down shady RAT’s command-and-control server

Most of the targets have removed the malware from the

system

TriCare (2011)

Department of Defense health care program

SAIC – business partner of TriCareSeptember 14, 2011 breach of patient

information affecting approximately 4.9 million patients

Largest Federal breach to date

TriCare (2011)

Unencrypted computer backup tapes stolen from SAIC employee’s car

Tapes contained patient information TriCare states that risk is low Breach caused 3 lawsuits totaling $4.9

billion

HBGary (2011)

Company that provides tools and services to protect assets and information

Specializes in computer forensics and malware analysis tools

February 6, 2011 Anonymous hacks into computer system in retaliation

Compromised web server and cracked passwords

HBGary (2011)

Used Barr’s administrative password to change password for Greg Hoglund’s email

Greg operated rootkit.comHackers used social engineering to

gain control of rootkit.comDefaced HBGary’s website and

accessed 71,000 emails

HBGary (2011)

Published some emails that revealed immoral and illegal activities that company was involved in

Since the breach – Aaron Barr has resigned

March 6, 2012 Hector Xavier Monsegur – member of anonymous pled guilty

RSA SecurID (2011)

Authentication mechanism developed by Security Dynamics

Token generates a code at fixed intervalsUses random key known as seed record – key

to generating a one time passwordUsed in combination with password user

creates – the server has real time clock and a database of valid cards that can validate code

RSA SecurID (2011)

Difficult to hack – need both pieces of information March 17, 2011 victims of attack costing the

company $66.3 million Sent phishing emails with malware attached Malware exploited a back door in Adobe Flash Hackers used Poison Ivy Remote Administrative

Tool Attack is known as APT – Advanced Persistent

Threat

RSA SecurID (2011)

Replaced 40 million tokensBreach resulted in attacks on three U.S

Defense contractors ◦L-3 Communications◦Lockheed Martin◦Northrop Grumman

Could be tied to cyber espionage from China

The financial impact

Costs directly associated with the breach include:

Cost of replacing stolen devices

Cost of recovering lost information

strengthening IT security and in some cases Premise’s security

Other costs include:

Expenses related to informing and providing credit monitoring

service for the victims

Expenses related to lawsuits

The financial impact

Other monetary impacts are:

Fall in share prices

Increased marketing expenses

Cost of hiring and training new employees

Accounting and Security

AICPA listed in its Personal Competencies ◦Accountants need to address “privacy,

intellectual property rights and security issues related to electronic communications” as element of Leverage Technology to develop and enhance personal competencies.

Statements on Auditing Standards (SAS) 94◦Requires auditors to take an in depth look at how IT

controls affect internal controls.

References

Anderson, H. (2011, October 14). TRICARE Hit With $4.9 Billion Lawsuit. Damages Sought for Privacy Violations in Breach Incident. Retrieved March 6, 2012, from Bank Info Security: www.govinfosecurity.com/p_print.php?t=a&id=4158Anderson, M. (2012, March 6). Anonymous hackers identified, including one tied to HBGary hack. Retrieved March 6, 2012. http://www.bizjournals.com/sacramento/news/2012/03/06/anonymous-hackers-identified-hb-gary.htmlArrington, M. (2006, August 6). AOL Proudly Releases Massive Amounts of Private Data. Retrieved March 19, 2012.http://techcrunch.com/2006/08/06/aol-proudly-releases-massive-amounts-of-user-search-data/ Baker, L. B. & Finkle, J. (2011, April 26). Sony PlayStation Suffers Massive Data Breach. Reuters. Retrieved March 15, 2012.http://www.reuters.com/article/2011/04/26/us-sony-stoldendata-idUSTRE73P6WB20110426 Beard, D., & Wen, H. J. (2007). Reducing the Threat Levels for Accounting Information Systems. The CPA Journal , 7.Bright, P. (n.d.). Anonymous speaks:the inside story of the HBGary hack.Garrison, C. P., & Posey, O. G. Computer Security Awareness of Accounting Students. Jewell, M. (2007, September 7). Encryption Faulted in TJX Hacking. Associated Press. http://www.msnbc.msn.com/id/20979359#.T30M9KsV3dI Kantor, A. (2005, November 17). Sony: The Rootkit of All Evil. USA Today. Retrieved March 15, 2012.http://www.usatoday.com/tech/columnist/andrewkantor/2005-11-17-sony-rootkit_x.htm Mills, E. (2011, June 6). China Linked to New Breaches Tied to RSA. Retrieved March 7, 2012, from CNET News: news.cnet.com/8301-27080_3-20068836-245/china-linked-to-new-breaches-tied-to-rsa/?tag=mncol;txt6 Worst Data Breaches Of 2011 by By Mathew J. Schwartz December 28, 2011http://www.informationweek.com/news/security/attacks/232301079Monster.com Hit With Possible Monster-Sized Data Breach By Thomas Claburn January 26, 2009http://www.informationweek.com/news/security/attacks/212902664Epsilon Data Breach Hits Banks, Retail Giants By: Fahmida Y. Rashid April 2011http://www.eweek.com/c/a/Security/Epsilon-Data-Breach-Hits-Banks-Retail-Giants-154971/http://en.wikipedia.org/wiki/Monster.comAnalysis: Is the Epsilon data breach a watershed for the marketing industry? Tuesday 05 April 2011http://www.computerweekly.com/news/1280097340/Analysis-Is-the-Epsilon-data-breach-a-watershed-for-the-marketing-industryThe real cost of a security breach By David Hobson August 12, 2008http://www.scmagazine.com/the-real-cost-of-a-security-breach/article/113717/Epsilon Data Breach: Expect a Surge in Spear Phishing Attacks by Tony Bradley Apr 4, 2011http://www.pcworld.com/businesscenter/article/224192/epsilon_data_breach_expect_a_surge_in_spear_phishing_attacks.htmlMonster.com Admits Keeping Data Breach Under Wrapshttp://www.foxnews.com/story/0,2933,294471,00.htmlReport on ‘Operation Shady RAT’ identifies widespread cyber-spying By Ellen Nakashima, August 2, 2011http://www.washingtonpost.com/national/national-security/report-identifies-widespread-cyber-spying/2011/07/29/gIQAoTUmqI_story.htmlExclusive: Operation Shady RAT—Unprecedented Cyber-espionage Campaign and Intellectual-Property Bonanza ByMichael Joseph Gross August 2, 2011http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109Panko, R. (2010) Corporate Computer and Network Security. 2nd Edition. Prentice Hall Publishing. Rashid, F. Y. (2011, March 01). HBGary Federal CEO Aaron Barr Quits Due to Anonymous Attack. IT Security & Network Security News .SecurID. (2012, January 10). Retrieved March 2012, from Wikipedia: en.wikipeida.org/w/index.php?title=SecurID&printable=yesZetter, K. (2010, March 26). Hacker Sentenced to 20 Years for Breach of Credit Card Processor. Wired.com. Retrieved April 1, 2012.http://www.wired.com/threatlevel/2010/03/heartland-sentencing/