Another major breach was disclosed on this week’s Krebs blog by acclaimed cybersecurity reporter Brian Krebs. He reported that Verifone is investigating a breach of its internal computer networks. According to the article, it appears to have impacted several companies running Verifone’s point-of-sale solutions. The company says the extent of the breach was limited to its corporate network and that its payment services network was not impacted. It also appears that social engineering tactics were employed to gain initial access.
While it was reported that the breach lasted more than six months, the company believes they were able to stop the breach before the attackers could inflict major damage.
“We believe today that due to our immediate response, the potential for misuse of information is limited,” said Verifone spokesperson Andy Payment (Yes, that’s his real name!). Even if this statement is true, Verifone may be subject to reputational, brand, and potentially financial damages.
From an identity and access management (IAM) point of view, it appears that the policies and supporting capabilities from a strong implementation of IAM framework may have mitigated the risks to the Verifone internal network.
IAM leading practices suggest a minimum of the following:
Striking an adequate and comprehensive policy (length and complexity) versus an appropriate user experience is always touchy. The article shows that Verifone required their staff and contractors to have a password length of 12 characters, along with a required level of complexity. This seems reasonable when accessing non-sensitive assets, but for more sensitive assets, it would be worth considering stronger authentication mechanisms such multi-factor authentication or certificates.
Determining the needed authentication strength and level is based on two elements:
- The data classification model to qualify the sensitivity of critical assets
- Level of credential assurance to measure the level of required authentication per qualified asset
Password Kill Switch
The email dictates that when Verifone became aware of the breach, all employees and contractors had a maximum of 24 hours to reset the password. It is hard to conceive that all impacted personnel could have reacted in this short timeframe. Therefore, a strong identity management implementation equipped with a “kill switch” would have been used to expire the passwords of the user population.
What about privileged users who can have a direct path to the sensitive assets or “crown jewels”? They are not mentioned in the article, but we know that intruders almost always try to gain elevated privileges. In a strong IAM implementation, comprehensive access certification rules would be implemented to catch outliers or users with excessive entitlements compared to peers. The recommendations should be extended to these special accounts as well.
When discussing that the malware was found on Verifone employee’s desktop, the article reports “it’s not just within Verifone’s network at [this] point, [now] it potentially expands to any connected partner network.” This may indicate that they are using legacy point-to-point applications and federated trust between partners. If this is the case, the propagation issue can be mitigated with a strong federated identity design where they specify which functions can be accessed within a secure trust between the domains. A comprehensive session logout use cases design is also essential.
According to sources, this breach lasted more than six months before it was detected, which aligns with industry averages. This is an extremely long time for skilled intruders to remain undetected. Even today, Verifone is unsure if they have fully addressed the threats.
On the surface, it appears that Verifone did not have an adequate event monitoring solution to capture access events and correlate with other events to raise alarms.
As an extension to IAM, the following pitfalls should be addressed:
- For social engineering, it really doesn’t matter what depth of security is in place, successfully engineered attacks can usually provide a direct path to an organization’s crown jewels. Therefore, organizations need a comprehensive security awareness program backed by a solid policy and guidelines.
- Local administrator privileges should be removed on desktops accessing sensitive information.
- Compartmentalize or segment your network - In their case, it seems the network was segmented but it is highly likely that credentialing itself was not effectively segmented.
- Use an application whitelisting solution - Most companies find it hard to manage but it should not be an excuse for an organization like Verifone. Whitelisting can be very effective.
Why is a robust IAM program important? Attackers are getting more and more creative to gain access to their target networks. Once in, they seek out weaknesses to elevate privileges. While a strong IAM program may not prevent a breach from taking place, it can certainly make it more difficult for the attackers.
Learn more about Online Business Systems’ Risk, Security and Privacy practice by clicking here.