CISO Case Files: Congratulations, You Played Yourself.

When IT Hits the Fan:

We rely on our IT departments to handle a shocking amount of functions. It’s not surprising when technology is present in all of our responsibilities that IT has access to confidential information. Combining heavy workloads with limited resources is a recipe for mistakes.  Research bears this out, Ponemon and IBM estimate that human error is at the root of 30% of data breaches.  Such mistakes from the trusted guardians of company secrets creates a volatile mix, and when it hits the fan, nobody is walking away clean. 

Details from the Crime Scene:

During a scan for our client, a multinational financial institution, CybelAngel located an unsecured SMB server used for backup and disaster recovery. Located on this server were thousands of files ranging from several years old to the current day. Of the files contained on this server, three documents posed a unique threat to our client. 

• A spreadsheet will all members of the IT department, including mobile, home, and office phone numbers. 
• A global network diagram contained details such as geolocation, IP address, and port numbers for IT assets.
• The most damaging document contained administrative level credentials for Windows, Sharepoint, iCloud, Wifi Routers, and Apache Servers.

Additionally, the credentials listed showed a stunning habit of reusing passwords across systems. The information from these documents would provide threat actors with an untold number of vectors for cyberattacks.  This leak put the client at risk for social engineering, phishing attacks, account takeover, and any number of malware-based intrusions. In total, the information available provides a threat actor all they would need to be an insurmountable advanced persistent threat.

CybelAngel Investigates:

CybelAngel data breach prevention uses comprehensive IP scanning to locate leaking data sources before being abused by threat actors. Unsecured SMB servers are a common finding during investigations. With modern systems such as Windows Server, quick creation options can spin up new servers with pre-set security settings. Often these pre-sets are inadequate or overly permissive for ease of use. Misconfiguration issues such as these are at the center of 30% of data breaches.  Once locating the unsecured asset, our Machine Learning algorithms screen each document for relevance, sensitivity, and the likelihood of a critical incident. The algorithm determined a high likelihood of a critical incident, triggering an investigation from the Analyst Team.

Arresting the Leak:

The primary goal of our analyst team is to provide our clients with actionable intelligence.  While IP addresses, Hostnames, and file paths provide clues as to the server’s owner, it is the contents of a data leak that give the greatest insight. With that information, the analyst team can often identify who or what organization is responsible for the data leak. The collection of documents and credentials pointed to the leak coming from an internal employee likely in the IT department.  Informing our client of the leak and its contents allowed them to locate the server’s owner and have the offending files removed or made secure. Learning from this experience, our client also created new policies and procedures to remove the possibility of reoccurrence. 

Detective’s Notes:

Financial companies are prime targets for threat actors. Their access to large sums of money provides cybercriminals an easy way to profiteer. While theft may be the primary goal, infiltration of a financial organization can lead to other adverse outcomes such as identity theft, fraud, and loss of trust. Primary leaks, those from within an organization itself, are hazardous, creating opportunities for advanced persistent threats.  Financial institutions invest millions of dollars annually into their cybersecurity, yet with the human element, leaks still occur.  Proactive measures such as data breach prevention and leak detection are crucial to finding mistakes. Request my exposure dashboard here to see if leaks are occurring at your company.