In the wake of one of the biggest cyberheists ever, TechRadar Pro received dozens of comments from security specialists, arguing and debating about the reasons and the consequences of this high-profile cyberattack and most importantly, how end-to-end security need to change. We complied the best of them below.
"The fact that an eBay database containing highly sensitive user information was compromised through employee log-in credentials demonstrates that end users continue to be the weakest link in the chain and the most valuable to be attacked. The reality today is that existing protection on a PC, such as AV, is ineffective and it is simply too easy to be evaded. It is based on an outdated model of trying to detect and fix attacks after they occur. And it doesn't work against today's more sophisticated attacks. Moreover, once an attacker is in they can jump around to virtually any part of an organization and steal at will. Endpoint protection needs to be overhauled to address protection against all attacks before they compromise sensitive systems." Gaurav Banga, co-founder and CEO at Bromium.
" While eBay has confirmed that no financial information has been breached, personal information, including date of birth, names, emails, phone numbers and postal addresses have all fallen into the hands of the hackers. With such a delay in acknowledging the attack, the true extent of the data loss is not yet known and it's imperative that further analysis is done before we can make any further assumptions. For now, when eBay users receive the request to change their password, they should do so immediately and do the same on all other sites where the same password has been used. The information gained by the hackers is also useful in phishing attacks and for secondary password (reset) information – the effect of this falling into the wrong hands should not be under-estimated." Dr Guy Bunker, SVP Product, spokesperson for the Jericho Forum.
"The worrying thing is that many people use a single password for more than one internet site and so if the passwords are compromised, they could be at further risk from cyber-criminal activity. The time lapse here highlights the urgency for customers to change not only their eBay and PayPal passwords but also on any other site that they use the same log-in details for. Many people will also be asking whether this is related to Heartbleed. I suspect that the two are not linked, although of course we can't rule it out. The Heartbleed bug has been around for two years and was discovered after this attack took place. However, eBay states that the leaked information was a result of a compromised database, whereas Heartbleed is a vulnerability that lies in the mechanism used to encrypt data." David Emm, senior security researcher at Kaspersky Lab.
"eBay's won't be the last organisation to fall foul of weak employee security practices, but it can be a learning point for big and small businesses. Enforce regular password changes, educate staff about the real risks associated with keeping passwords written down in plain sight or in obvious hiding places like the top drawer of a desk, monitor networks for rogue Wi-Fi access points and invest in software to let you manage, control and isolate the barrage of mobile devices that staff and visitors bring in to the workplace and connect to public and private networks." Sergio Galindo, general manager, Infrastructure Business Unit at GFI Software
"The attack raises a number of questions, not least 'how did this happen in the first place'? Reading between the lines of the company's brief statement it appears that employees have been hit by a phishing attack, falling for a scam and tricked into giving their credentials away. If this information was only protected by username and passwords, and employees were so easily duped it really is concerning. As one of the world's leader e-tailers eBay should be treating information as we would the Crown Jewels - through layers of protection." Professor Alan Woodward, Department of Computing at the University of Surrey.
"All businesses, including eBay need to wake up to these risks and adopt stronger authentication for both employees and users of their services or sites. The answer lies in two-factor authentication – something you have and something you know. We're already familiar with this and use it in the form of chip and PIN everyday with our bank cards. It's now time for businesses and society to wake up to the fact that passwords are dead and we need a more secure alternative." Richard Parris, CEO and founder of Intercede.
"The most effective way to practically defend systems against this kind of threat is to protect data at its source and provide access on a true need to know basis, which can be achieved by implementing encryption combined with tight access controls as a method of carefully separating users' network access from their ability to actually read, access and copy data. That way, if user accounts are compromised – as seems to be happening on almost a daily basis – there are more effective controls in place to help mitigate the damage that can be done." Paul Ayers, VP EMEA at enterprise data security firm Vormetric.
"As the latest high-profile organisation to fall victim to a data breach incident, eBay provides another warning to all organisations that the threat to businesses is continuing to grow. The fact that employee accounts were compromised in this case is concerning, as robust controls should be in place around these credentials, including behavioural monitoring systems which flag any suspicious behaviour in real-time. While it remains to be seen how these credentials were compromised – whether via a successful phishing email or the involvement of a third party – it is unfortunately unsurprising that these incidents continue to occur. " Ben Densham, CTO of independent cyber security consultancy, Nettitude.
"Cyber defenses are changing and moving into the 21st century. Organisations are starting to understand that there is a need to watch every entry point, that may be a port, a protocol or egress point. Matching that with the normal behaviour for a network and setting alarms off, when personal information is moving out of an organisation, will start to turn the tide on data breaches. In addition to securing all network data channels, companies must also focus on securing social aspects of security. Social engineering or common mistakes such as giving out a password to a co-worker are all too common." Paul Martini, CEO at iboss Network Security.
"Those responsible for IT security must trust no-one and nothing. Not even the fridge. Collective mistrust is no longer a sign of paranoia but has become a guiding principle of IT. Every application and every piece of hardware can now be hacked so IT security has to mistrust everything and everyone. Not customers, not governments and especially not employees. They hold the key to so much and the stakes are so high." Wieland Alge, VP and General Manager EMEA, Barracuda Networks.
- What are your thoughts about this security debacle? What should/could have Ebay done to prevent it, if any.
http://ift.tt/1gT7sc8
No comments:
Post a Comment