Last week, South Carolina’s (SC) Governor presented the results of the investigation over the exposure of the personal data of nearly 4 million individual filers and 700,000 businesses in the SC Department of Revenue (DoR) data breach.
The investigation provided a detailed timeline of the breach and revealed that data protection in the DoR was lacking to the extent that the DoR had almost no visibility to the attack. The damning results have even led to the resignation of SC’s DoR director. Recently, the state made the technical report on the investigation publicly available. The availability of the report (PDF) gives the security community a unique glimpse into the nuts and bolts of compromised insider campaign and an opportunity to determine and develop effective countermeasures.
The Attack Time Line
On August 13th, 2012, a malicious email was sent to multiple DoR employees. At least one of them clicked on the embedded link, unwittingly executing a malware and became compromised. The malware stole the user’s username and password. Two weeks later, the attacker logged into the machine using a remote access service (Citrix) with the stolen credentials.
The attacker then began propagating into the network by installing some password grabbing utilities, later using the obtained passwords to connect to more servers and so forth. Throughout the propagation process, the attacker used some generic databases client software to search for interesting data. On September 12th, one month after the initial infection, the attacker found worthy loot in the form of DoR database backup. It took the attacker two days to copy the 74GB (!!) database, and send it the attacker servers via another server within the victim’s internal network. This was pretty much the last contact the attacker had with its target.
On October’s 10th, two months after the initial infection and one month after the attacker had finished its attack, the Secret Service had informed DoR of the breach. Needless to say, DoR “had no idea what had happened.”
Data Access Monitoring is the Key
There’s a striking contrast between the magnitude of SC DoR’s breach and their visibility. The physical equivalent of the incident would be for bank robbers to blast their way into the vault room, and then drag the vault around the bank for two days before running away with the plunder without anyone hearing or seeing them. In the physical world, it can only happen if all the security personal were deaf and blind.
The South Carolina Department of Revenue attack went unnoticed only because the DoR’s security team was not able to monitor and control data access across DoR’s internal network and servers, making them the cyber equivalent of deaf and blind to the attack. Their security budget and focus was probably totally invested in anti-virus technology intended to block the initial infection. When their first line of defense was breached, due to antivirus’ inherent limitations, they were left unaware and defenseless against the attack.
Investing in the right “ears and eyes” to monitor the access of servers, databases and files, would have made the detection of the attack an easy task, as the attack was very “noisy”. The attacker had accessed privileged data on an arbitrary time from an arbitrary process with read permissions, while usually the data get accessed only by the internal backup process, with the backup account privileges, on the regular backup times with write permissions. Additionally, the attacker had moved and processed the data few times before sending it out of the network, giving a lot of missed chances for the alarm system, which was not there, to set off the burglars’ alarm.
The Responsibility of Senior Management
It was that striking contrast between the size of the data stolen from SC DoR and the total lack of visibility they had to it, that had cost the Department of Revenue director his position. In the financial world, personal accountability is required under the Sarbanes-Oxley (SOX) Act which holds top level executives personally accountable for the accuracy of financial reports. The South Carolina incident should send a clear message to senior management on the digital front: data security is equally paramount.
Related Reading: Stolen Login Credentials, Poor Security Practices Led to South Carolina Data Breach
More from Tal Be'ery
- How Attackers Likely Bypassed Linode’s Two-Factor Authentication to Hack PagerDuty
- Brute-force Attacks: Crossing the Online-Offline Password Chasm
- How Can Cyber Defenders Regain the Advantage?
- Target’s Data Breach: The Commercialization of APT
- Certificate Transparency: Small Town Gossip Can Save Web Users’ Privacy
- Hackers Target Web Apps as a Bridgehead to the Datacenter
- De-Serial Killer: Deserialization Perils
- An Automatic Security Reaction Can be Dangerous
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
