Critical Lessons Learned from Uber’s Second Breach
The landscape of responsibility is shifting: On the heels of Uber’s second data breach, it is now undoubtedly true that the future responsibilities for Chief Information Security Officers (CISOs) and Chief Security Officers (CSOs) are changing dramatically.
As we have seen with this 2022 breach in particular, a cybersecurity leader can now be held accountable for negative impacts of a data breach, and job-loss is not the only repercussion—jail time is now on the table as well.
Thus, it’s more important than ever for organizations to not only employ the right data protection security tools, but also implement and manage them correctly to prevent future breaches.
A lot has been said about the weaknesses of the security systems themselves, but in fact the weakest link in this transaction was a trusting human. That’s most commonly the case, although there are two other main weaknesses worth discussing:
- Multi-factor authentication (MFA) was compromised by simply exploiting a user’s trust and frustration from multiple failed login attempts by a threat actor. The 18-year-old who broke into multiple Uber systems utilized a method known as “MFA fatigue attacks,” which means they sent numerous push notifications to a single user and then posed as an internal Uber IT team member to trick the individual into confirming their credentials.
- Password storage was allowed, in this case the admin password, within a PowerShell script. Doing so allowed the malicious attacker to gain access to the most prized systems as an admin through the accounts in the Privileged Access Management (PAM) vault. Because Uber allowed free access across the entire network rather than segmenting the networks based on data and specific devices, the attacker had access to far too much employee and customer data.
Uber’s breach is not an isolated incident though – 61 percent of breaches are attributed to stolen credentials, and according to Verizon’s 2022 Investigations Report, 82 percent of confirmed breaches involve the “human element,” which encompasses social attacks, errors, and general misuse targeting an individual person to create a human error.
Moving forward, companies must adjust their approach to help employees avoid these natural, human errors by implementing a more proactive approach while reviewing and updating their security protocols on a regular, ongoing basis. Otherwise, security costs will continue to rise and affect product pricing while putting your team at risk.
Exploiting the human element
Threat actors often target individuals in the hopes of creating a confusing scenario in which the person willingly grants access to sensitive data without knowing the consequences. This is becoming increasingly evident as attackers continue going after the human element to gain initial access to protected business data.
Phishing, smishing, and vishing are all increasingly being deployed to exploit the user’s trust. Plus, attackers are becoming more clever by creating malware and ransomware that lies in wait, harvesting data until the right moment to successfully facilitate a major breach. Some analysis suggests that Uber’s recent attacker may have even gained access to the company days before actually making their presence known.
A breach like this impacts the organization in at least two main ways:
- Brand reputation: Once a breach occurs, customers lose trust in the brand which directly impacts the business and internal budgets by lowering demand for services. This can be curtailed by taking security seriously and getting an expert to both deploy and manage the security solution proactively. A reactive approach is no longer good enough.
- Higher costs: It is evident that cyber insurance has become a necessity and is becoming more expensive as a result, driving up security budgets and impacting the bottom line. Instead, organizations should look to implement an integrated identity orchestration platform to better manage the tools they already have in place to create efficiency and lower costs, while at the same time protecting the security team from potential legal action by offering a clearer, more holistic view with real-time prompts if and when a high-risk action, or even a full-fledged data breach, occurs. Otherwise, most businesses who experience repeat breaches say it eventually leads to higher costs for customers.
All companies need to at least consider implementing a Zero Trust security framework across the board, and understand no one tool is going to provide them all the security they need. It is a layered approach, and even the most qualified cybersecurity teams need an identity security expert to advise them accordingly. Businesses must realize security measures that worked in previous years are not enough to protect them today as threat actors continue to innovate.
Key learnings and best practices
Of course, one of the best ways to protect login and password credentials is by removing them from the equation entirely. Passwordless solutions are quickly becoming the preferred option businesses are looking to deploy in 2023. Rather than viewing this only as a tool to improve user experience, businesses must realize that passwordless security provides a much higher degree of assurance that the user is who they say they are. Biometrics are to date the most secure form of authentication, so facial and fingerprint recognition should be considered the go-to method to remove one of the most easily compromised breach factors: the password.
Uber’s biggest mistake here was allowing for an authenticator app to generate push notifications for MFA, which employees need only press “allow” to gain access. These push notifications paired with a simple WhatsApp message misled the employee into pressing “allow,” but it was the threat actor generating the prompts by attempting to login. Avoiding an authenticator app and/or training employees to not “allow” access unless they’ve personally tried to login could have prevented this.
Once the threat actor successfully logged into Uber’s network, they had way more access than any normal user should. By creating a stricter PAM approach, Uber would have segmented permissions preventing this employee from being able to access the company’s most sensitive data. Instead, the employee—and by extension, the threat actor—would only have been able to see the data relevant to their role and responsibilities.
Uber also lacked a converged identity security solution, like the aforementioned orchestration platform, to see any suspicious login activity proactively. Each step of the process was siloed and too much access was given across the board too easily, leading to a massive data breach as the end product.
If any of these actions had been taken to refine Uber’s security system in 2022, they may very well have been able to avoid the breach entirely. Or at the very least, they may have been able to catch the attacker in real-time to reject any further advances deeper into their employee and customer data.
The future of identity security
Enterprises need to realize that the identity pillar in the Zero Trust framework helps provide the right answers to many critical security questions such as: Who has access to what? When did they get it? Has it been reviewed? Do they have elevated access? These are the core principles to know what’s happening within your organization, so you can enable and limit what users can do with that access.
Reinforcing this strategy with a mix of security awareness training, and a defense-in-depth approach focused on securing identities and access will help organizations build a stronger defense system by leveraging identities as the primary control plane to build an efficient and effective cyber strategy.
The idea should be to provide all users and services with no more than the necessary amount of access for the time it takes them to accomplish their tasks. The three principles of Zero Trust – verify explicitly, use least privilege access, and assume a breach will occur – are key to laying a solid foundation to secure and protect accesses, as well as protect your CSO from job-loss or in Uber’s case, prosecution.
Written by Chris Schueler.
Have you read it?
The world’s top 20 most travel-obsessed countries, 2023.
The most Twitter-obsessed countries revealed, 2023.
The world’s top 10 most popular luxury brands for 2023.
The most fast food-obsessed countries in the world, 2023.
Who Are the Richest Sports Owners in the World, 2023?
Add CEOWORLD magazine to your Google News feed.
Follow CEOWORLD magazine headlines on: Google News, LinkedIn, Twitter, and Facebook.
Copyright 2024 The CEOWORLD magazine. All rights reserved. This material (and any extract from it) must not be copied, redistributed or placed on any website, without CEOWORLD magazine' prior written consent. For media queries, please contact: info@ceoworld.biz