US health insurer Excellus BlueCross BlueShield claims it was targeted by a “sophisticated” cyber attack, but it was probably another case of spear phishing, according to Telefonica’s head of security.
“Most so-called sophisticated attacks can be traced to an email sent to the right person with the right content,” Chema Alonso told Computer Weekly.
Many of the recent big breaches, including the December 2014 hack of Sony Pictures Entertainment, he said, have been enabled by a carefully-crafted spear phishing email.
The attacks are further enabled by the fact that many companies have invested much more in securing the network perimeter than in securing the internal network, according to Alonso.
“For example, a lot of companies that use two-factor authentication (2FA) on their websites [do not] use 2FA internally,” he said. “This was the case at Sony and probably Ashley Madison too.”
The lack of 2FA on the internal network means that once an attacker gains access to a network using log-in credentials stolen through a phishing attack, they can move around the network unchecked.
“There need to be systems to manage privileged accounts on the network to identify account abuse and limit the impact if an administrator account is compromised,” said Alonso.
“Security policies should be created bearing in mind user accounts may be compromised or employees may act maliciously,” he said.
Typically, companies are still not correctly balancing investments in preventing, detecting and responding to security breaches, according to Alonso.
“Companies need to invest as though attackers are already inside the network to detect malicious activity, then most importantly, they should invest in a capability to respond to breaches,” he said.
Alonso contrasted the positions of Fiat Chrysler and Tesla, which both had to deal with security vulnerabilities in some of their vehicles in recent weeks.
While Fiat Chrysler had to recall thousands of vehicles for a software update, he said Tesla had the mechanism in place to do issue a security update quickly and remotely via the internet to all vehicles.
“In all the recent security breaches, we are seeing that many companies are not well equipped to detect intruders on their networks or respond quickly and effectively to intrusions,” said Alonso.
“Ashley Madison, for example, was not ready for a security breach that could expose its members’ data because it had not planned for it, probably thinking it could not happen,” he said.
Alonso believes companies will continue to be easy targets for attackers as long as they fail to plan for the failure of all the traditional information security barriers.
However, he also emphasises that information security is complex and difficult. Even if companies deploy something like an intrusion detection system, he said it will be useless if they do not have the right people with the necessary expertise to analyse the data.
If companies do not have the right expertise in-house, he said they should ensure they have access to these technologies and skills through a managed security services provider (MSSP), for example, to give the company the capability it needs to detect and respond to cyber intrusions.
“Attackers’ knowledge is increasing exponentially, which means that defenders of corporate data need to do the same to keep pace, but few companies have the resources to do so,” said Alonso.
“If companies do not have the means to maintain cutting-edge skills internally, the best way is to source what they need from professional service providers,” he said.