![]() ![]() ![]() In the period from May through July 2017, the criminals managed to get a hold of the private information of millions of people stored in multiple Equifax’s databases. Unfortunately, that was also the case with Equifax. Perhaps the most aggravating circumstance, as far as the principle of least privilege is concerned, is that internal networks’ traffic is often less monitored. It does not matter if the inner communications, where the applications are running, move around in the context of a private data center or a public cloud. Being in this position, attackers usually seek to scan internal networks in order to attempt to sneak into the database, where the real treasure is. Although that in itself was a significant security failure on the part of Equifax’s administrators, we will focus on their failure to apply least privilege controls.Īfter the unknown hackers managed to access the web server, they could circumvent all security measures at the edge. It was due to an unpatched vulnerability (CVE-2017-5638) existing in an Apache Struts instance running on Equifax’s web servers. The initial compromise took place on March 10, 2017. This article will focus on the 2017 Equifax data breach - an incident of massive proportions that could have been avoided if the proper defensive mechanisms were set in place. As you can see, the ingredients may be different, but the bitter aftertaste is all the same. Not using the least privilege principle is a recipe for disaster. Human error: Two workers at Vanderbilt University Medical Center (VUMC) were granted access to 3,000 medical records of patients, despite the fact that such authorization was not related in any way to their job duties.Unauthorized access: An ex-employee of the engineering firm Allen & Hoshall appropriated some intellectual property, client correspondence and other sensitive data after using email credentials of a former colleague. ![]() Privilege escalation: Both the Home Depot and Target data breaches happened due to a third-party vendor’s credentials being somehow compromised, giving the hacker access to their networks.Privilege abuse: An employee of a third-party consulting firm stole the personal health identity data of 18,500 Anthem customers in 2017.Let’s review briefly some variations of such attacks with a reference to real cases. Privilege attacks may come in many shapes and sizes. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |