Data breaches are growing in complexity and sophistication. This is the key finding in the newly released 2017 Data Breach Digest issued by Verizon.
Now on its second edition, digest takes a behind-the-scene look at data breaches that were investigated by the company over the past year. Entitled “Data Breach Digest—Perspective is Reality”, it took a slightly different approach in bringing the scenarios to life.
“Each scenario narrative—again, based on real-world data breach response activities—is told from a different stakeholder’s point of view (POV). As such, the PoV covers their critical decision pivot points, split-second actions taken, and crucial lessons learned from cases investigated by us,” said Ashish Thapar, managing principal – investigative response, APJ of the Verizon Risk Team, during a visit to Hong Kong last week.
He shared four scenarios from the 2017 Data Breach Digest and highlighted the lessons learned.
The financial pretexting – The Golden Fleece
This case happened to a financial services company in Hong Kong. A wire transfer with a missing tax form led to an investigation by the finance director. The CIO provided email approval for all company wire transfers. In this case, all the paperwork was in order, but neither the CIO nor the accountant who submitted the transfer request had any recollection of the payment.
During the investigation, the Verizon Risk Team discovered a phishing email was found on the accountant’s laptop requesting for email domain credentials to pay a late invoice. The email contained a URL that was known to be malicious. But the company’s URL filtering tool didn’t capture the message as the accountant was at home, connected to his personal WI-FI network. The risk team also noticed that the approval message came from a domain with one character different to the corporate email.
“It is very easy to miss. It could be that the letter “i” was replaced with “1”. If the company has implemented markers to indicate whether the message is an internal or external email, it is a very simple control that could have prevent the situation. If a purportedly internal email came in shows an “E” or “External” tag, then that means it is a bad emails,” Thapar said.
l Companies should require two-factor authentication for access to email from the internet
l Prepend a market (e.g. “Subject: [External]…”) to the subject line denoting externally-originated emails.
l Require secondary authorization for wire transactions over a certain dollar amount.
“This involves business process re-engineering. Companies shouldn’t authorize wire transfers only by email. Don’t depend on only one mode of communications. If you have such a big request, call the person who sent the email,” Thapar said.
l Require VPN access for telecommuters accessing the corporate network