It’s important that we learn from failure. Whether it’s our own, or someone else’s, each mistake serves as a valuable lesson. In IT, these issues can be disastrous. As a result, it’s vital to not repeat these errors.
In a short series of blog posts, we’ll be discussing some major failures as well as the information we can glean from these events. We’ll examine what happened. By doing so, you’ll learn how you can ensure you don’t follow in their footsteps.
Part I – How Operational IT Failure Crippled Equifax
Most recently, Equifax suffered a massive breach that could impact millions of people. Today, we’ll be examining this event and learn what kinds of operational failures caused this event to occur and what security lessons we can learn.
What Caused The Breach?
Equifax claimed that the breach was due to a vulnerability in the open-source Java web development tool known as Apache Struts. However, while vulnerabilities did exist in the platform, they were quickly patched. It’s possible that this was caused due to a slow patching process by Equifax, allowing the vulnerability to remain unsolved.
It’s also possible that this was caused by a zero-day. Zero-day is a term that’s been derived from how long a vulnerability has been known, and therefore how long vendors and programmers have had to solve the issue. In this case, zero-day vulnerabilities mean that no one previously knew about the issue, so no solution could possibly be implemented. These vulnerabilities are highly valued by malicious hackers, governments, and the company that developed the software in question. While it’s possible that a zero-day was at fault here, it’s highly unlikely that this was the case.
If, as Equifax claims, the vulnerability was created due to Apache Struts, then this is still no excuse. Any single vulnerability in a web program should be safeguarded by rigorous security controls throughout the program, to ensure that this couldn’t happen, especially for a company that handles such sensitive information.
Most likely, this breach was caused by negligence on Equifax’s part. They didn’t apply nearly enough security levels throughout the business, lacked operational procedures to help identify and mitigate attacks, and didn’t have enough basic IT protocol to protect their customers.
How Can These Mistakes Be Made?
It’s easy to think that all these cybersecurity breaches we hear about won’t happen to you, but that’s an extremely dangerous assumption to make, especially for organizations who handle such vital information like Equifax does. This is especially true as there’s a 27% chance that any given business will experience a breach within the next two years. It’s important to remember that you’re always vulnerable to breaches, and should pursue more and better security solutions to make yourself a less attractive target and help defend your business should an attack occur.
Clearly, this is what Equifax DIDN’T do. They couldn’t be bothered to patch their Apache Struts program for over two months since the vulnerability was discovered. For an organization that handles financial information, this is a dangerous amount of negligence. Given that, it’s not surprising to learn that they’ve been notified of a cross-site scripting vulnerability since 2016. This demonstrates a sadly common lack of commitment to maintaining tight security measures throughout all levels of a business.
An attitude towards security like this isn’t caused by just one, or even a few people. It’s a problem that starts at the top and permeates throughout the business. Likely, many IT staff felt the existing security measures weren’t adequate but the culture dissuaded them from speaking out. For these businesses, security costs are seen as a burden to minimize, not as protection to maximize.
How Expensive Are Breaches Like This?
Large-scale breaches like the one recently suffered by Equifax have a variety of resulting costs.
There’s the cost of downtime, which can be incredibly expensive. It can vary wildly from industry to industry and from business to business, but almost every major business reports that each hour of downtime costs at least $100,000. For heavily technology reliant sectors like finance, these downtimes can cost millions per minute. Large scale breaches result in many hours of downtime, resulting in huge amounts of lost productivity and therefore massive costs and losses in revenues.
While downtime is a significant portion of the costs of a breach, there’s also potential litigation costs to consider. If the breach is significant enough, and it’s determined to be the fault of the business, then legal action may be undertaken by customers. It’s impossible to say how much this may cost you, but these expenses are almost always significant and require significant time and resources to combat.
Far more nebulous to determine is the brand damage businesses suffer from a breach. Your consumers will invariably lose faith in your business, which can seriously impact your future business operations well after the breach has been solved and damages paid.
Because of the various sources of expenses, the impact that breaches of this magnitude have is difficult to measure. While you may not know exactly how much you’ll suffer, one thing is clear; you cannot afford to be put in this situation.
How Can I Protect My Business From Operational IT Failure?
Now that you understand the consequences of not being protected, there are many different solutions available that can help enhance your security.
One of the most popular solutions to enhance security is to use comprehensive software asset management services. This kind of IT software solution can help you choose the software you need and help you manage each tool to ensure maximum efficiency.
Another great service that your business can benefit from is end-to-end security solutions. These IT security software and hardware services help to enhance your security with powerful tools.
Next post we’ll examine how human errors can have disastrous consequences for your IT security and how you can protect your business from phishing attacks.
This is the second release from our series, in which we’ll be examining some critical IT failures, in addition to insights we can gain. Today, we’ll discuss the ramifications of human error in dealing with phishing attempts and how you can avoid it.
Part II – Phishing Scam Costs MacEwan University $12M
Over 75% of businesses were a victim of phishing attacks in the last year, highlighting how dangerously common they are.
In late August, MacEwan University was hit by an $11.8M phishing scam. In today’s entry into cases when IT fails, we’ll examine how this happened and how you can help prevent it happening to you.
How did the scam happen?
A series of phishing emails claiming to be from one of the university’s vendors convinced three low-level staff to alter banking information. Clark Builders, the vendor which the fraudsters impersonated, had been working closely with the university for over a decade, and has been involved in several major projects with the university in the past, including the consolidation of their various campuses. Clearly, the two have had a long working relationship.
The fraudsters carefully copied the official brand guidelines, logo, and any information that would be in a legitimate Clark Builders email. They used this to convince staff at the university that Clark had changed some of their critical financial information, and that updates needed to be made to ensure proper payment could be processed.
The three low-level staff failed to separately contact or verify that the emails were legitimate with the vendor or any more senior employees before proceeding, allowing the fraudsters to succeed in their phishing attempt.
Once updated, three separate payments were made to the fraudsters. The first payment was made on August 10th, for $1.9M. On August 17th,the second payment went through for $22,000. The last payment, made on August 19th, was for the remainder, amounting to $9.9M. The issue was only found after Clark Builders reached out to the university asking why it hadn’t been paid.
Ultimately, the scam was a success, not because of the cleverness of the phishing attempt, but human error and a lack of proper controls made it possible.
How could this have been prevented?
There are two ways that MacEwan could have successfully protected themselves against this phishing attempt. The first, and most important, is to properly train staff to be aware of the methods used by fraudsters to mislead their victims. They should be careful when dealing with any form of external email — especially one with attachments or links.
Independent verification should be taken before any requested changes are made to systems that have vital importance, in order to ensure that the source of the request is legitimate.
Employees should take care to never click any links or download files that aren’t from completely trusted, and verified sources. This is especially important as 30% of all phishing emails get opened.
Many people are ignorant or dismissive of the danger that their negligence can create. As a result, you need to evaluate your employees existing knowledge and diligence, and then plan a training program that addresses any shortcomings. Even a strongly worded memo can go a long way to raise awareness.
There’s also the matter of dealing with problem staff. Whether out of willful neglect or unconscious complacency, problem employees could bypass procedures and reduce the effectiveness of your protection against phishing. The best way to handle these cases is to ensure incentivization is in place so that proper completion of procedures is maintained. In addition, designate specific roles who are responsible for monitoring these initiatives.
The second way that you can reduce the possibility of a successful phishing attack is by implementing proper controls. For instance, in the case of MacEwan, if procedures had been set out that require key personnel from each party confirm that a significant change was requested before completing or rentereing of confidential payment information, then this issue wouldn’t have happened.
Unfortunately, neither method is practical for many smaller or medium sized businesses who either lack the IT expertise or resources to ensure thorough training and procedures are implemented. Unfortunately, this may be the right conditions for an accident waiting to happen.
Protect your Business from Phishing
Because most organizations lack the expertise to handle this themselves, it makes sense to hire IT consultants who can help you identify areas of weaknesses in your business. Services like this gives your business the benefit of a fresh perspective that has proven effectiveness.
In our next entry, we’ll discuss how natural disasters and emergencies can have cripple the unprepared business.