A Few Thoughts on the Latest Data Breaches

It has been a very busy spring for data breaches, which has exposed not only a shift in how breaches are executed, but also what types of information are being targeted. As with most breaches, some of the details remain murky, but overall we have seen a pattern of sophisticated attacks targeting information and assets that could be used as part of subsequent targeted attacks. This means that enterprises need to not only re-evaluate how they secure their assets, but also take a fresh look at the real value of various enterprise assets and the long-term implications of an exposure.

Just to set the stage, lets quickly review the major breaches. The breach of Epsilon, an online marketing provider, exposed the customer email databases of over 100 companies, which could enable attackers to create very credible spear-fishing emails against any of the exposed email addresses. This is obviously a real-world risk given that the RSA breach actually began with a very targeted spear-fishing exercise against an RSA employee. In the case of the RSA breach, the attackers were apparently able to steal information on the inner workings of RSA’s Secure-ID product and potentially token seeds used in that same product. Yet another security vendor, Comodo, had certificate authorities compromised along with SSL certificates for a variety of very popular sites, allowing an attacker to potentially impersonate one of these sites to an unsuspecting consumer.

Collectively, these attacks seem to be targeting the underlying infrastructure of trust on the Internet both from a technical and social perspective. Do I trust the sender of this email? Do I trust that when my browser tells me at Gmail, that I’m really connected to Gmail? This provides an interesting context for looking at the breach of Sony’s Playstation Network, which has exposed personal information of more than 100 million subscribers. This breach has received more coverage than any of the other breaches, with the majority of analysis centered on whether or not credit card information was exposed in the breach. However, in the context of the other industry breaches, there is good reason to believe that the credit card information may not be the most valuable information in database.

The Playstation database includes a wealth of personal information including email addresses, passwords, online PSN identities, home address, and potentially the user’s PSN shopping history just to name a few examples. This information could be used to create very convincing spear-phishing campaigns, and even break into a user’s email account. As seen in the RSA example, this information can be used to gain a foothold into an enterprise. Thus the value of this information as part of a subsequent targeted attack could easily outstrip the $1 value of a stolen credit card on the black market. This should serve as a reminder that as attackers get more targeted and patient, financial information is not the only information worth stealing. The unique intellectual property and relationships that define the enterprise are increasingly being targeted, which puts us all on the front lines.

We will be taking a deeper dive into these breaches and what they mean for the enterprise in this week’s Threat Review. You can register for the Threat Review here, and we hope to see you there.