Railway breach in Europe

For a business to be targeted, there needs to be something of value to exfiltrate.
The attackers are not going to go through the effort of the full attack cycle for
practice. If there were to happen to be a breach, there should be tools in place
monitoring activities so the attacker’s actions would be noticed and halted.

An incident occurred in Europe on their railway system. If you happen to be
traveling on the rail in Europe, naturally the traveler has to purchase a ticket.
This process includes the usual information with credit card numbers, full legal
name, mailing address, email, and phone numbers. This information in its entirety
would provide for a nice target for any attacker. THis sensitive data used in unison
could provide for a fair number of successful attacks.

Such an incident occurred in late 2017. On November 29, 2017, the Rail Europe
system was breached. If this was not bad enough for a scenario, the attackers
had accessibility from the breach (November 29, 2017) through February 16, 2018.
During this time, the attackers had time to exfiltrate the PII and data they desired.
To further worsen the situation, Rail Europe was not aware they had been breached.
A bank affiliated with RENA noted this and informed the company. The number of
affected clients was unknown. The number could be rather substantial, as RENA
had transactions with 5M Americans.

The recommendation at this point is for RENA customers to change their password
and watch their accounts. There is also identity theft protection available, which over
the long-term may not have a substantial amount of value, as the attackers would be
able to use certain data indefinitely, not just a year.

The vulnerability involved the webpage used by the clients. This was infected by
malware coded to log the client’s information, including the debit and credit card
numbers, expiration date, and the important CVV numbers.

There are several areas to focus on with this compromise. Primarily, the lesson
would be to monitor the logs, network, and access. The business should have
known something was occurring within the network over the three months of exfiltrating
so many records
(https://www.informationsecuritybuzz.com/expert-comments/rail-europe-customer-data-breach/).
This amount of traffic should have been noticed on some level at some junction of time.

Bank Client's PII Valuable

            Banks have the privilege of collecting our data and storing this for their uses. As the banks store this data and information, the banks are acting as stewards of this data. Being a steward and responsible, there are certain aspects of InfoSec which a reasonably prudent bank would deploy to protect the bank, its assets, and customer’s data.

            Apparently, there was an issue with two banks which allowed an oversight to occur (https://www.ehackingnews.com/2018/05/two-financial-institutions.html, http://www.palada.net/index.php/2018/05/29/news-6184/, & http://www.cbc.ca/news/business/simplii-data-hack-1.4680575). In May 2018, the Bank of Montreal and Simplii Financial, owned by CIBC announced their alleged breach. Simplii Financial is CIBC’s direct banking brand. The affected clients number at approximately 90k people. These may have been accessed by the attacker or the people the data was sold to, as evidenced by the Bank of Montreal receiving a tip stating a limited number of people’s accounts had been accessed by unauthorized parties.

            After the breach was noted and analysis began, Simplii began to implement additional measures to improve their online cybersecurity. This included, but was not limited to, fraud monitoring and actions to monitor online banking to a greater measure.

            To make things worse, the attackers threatened to release the data from the compromise and exfiltration. The attackers would not release this if they were to happen to pay them $1M on or before May 28^th. The Bank of Montreal did not pay the attacker’s ransom but are however focusing their efforts on their clients.

            In this day and age, banks and other entities and institutions have to be more proactive in implementing a defense in depth to ensure, as much as possible, the security for the client’s data. At times, budgets, internal politics, and other timing issues slow these implementations. These, however, should be pushed more to the front of development and implementation. The alternative is to be breached, have the opportunity to publish the breach and claim only highly trained “hackers” could have done this, etc., and pay fees.

Another defense to ransomware

            Ransomware continues to be a relative nightmare. These have the ability to quickly ruin the CISO’s day and wreak havoc on operations. A simple click can shut down portions of operations. In Michigan, as an example, a utility’s email system and accounting department were shut down for an extended period. The management finally paid the ransom fee so the operations could continue. If this is not enough of an eye-opening example, we simply have to remember WannaCry and its derivations.

            One method to assist in defense is to segment the network. Generally, the Admins point to being knowledgeable of the hardware and software on the system, approved communication paths, whitelisting for the applications, and encryption.

            Network segmentation is an immense assistance in this endeavor. The segmentation limits the amount of potential compromised network area the attackers are able to traverse. Without this, the successful attackers are able to work through the compromised system. With this in place, the attacker’s area to work through is limited by the segment itself. As the attacker is active through a much smaller area, the activity should garner more attention. With the network segments in place, the attacker’s work is increased significantly for a full system compromise.

            Although this is a viable tool, the implementation may be problematic. The Admin needs to have a full inventory of the network, be able to update this, and maintain a visibility into the network.

            The best practice with this security method is to implement the security profiles near the endpoint. This is a break from the traditional model of focusing on hardening primarily the perimeter. When configured correctly, this allows for a zero-trust model.

            No security model is perfect; however, this provides for a greater depth for the network security.

Medical Data Targeted!

Medical Data is such a significant target for the attackers. The data is able to be bundled
together or separated to be sold, dependent on the type of data and the potential markets
on the dark web.

Yet another example of this was reported in May 2018. LifeBridge Health appears to
have been targeted and compromised. It appears the compromise of 500k patient
records occurred on September 27, 2016. This was detected in March 2018. Thus it
took approximately 1.5 years for the business to realize they had been targeted, recon
had occurred, and the system was compromised. This was not noted by the business
or its InfoSec Department, but after a forensic firm had been hired. The data probably
exfiltrated was patient names, addresses, birth dates, insurance information, and the
gemstone of the patient’s social security number.

Although the press release states the business takes protecting the patient’s data
very seriously, as these all do, the breach and also compromise timeline is problematic.
The patient’s data was exposed on the dark web for sale and abuse for up to 1.5 years.
The InfoSec team should have been able to notice the traffic moving the data from the business.