Cybersecurity Expert Reacted On Latest SANS Data Breach

By   ISBuzz Team
Writer , Information Security Buzz | Aug 12, 2020 06:06 am PST

In response the SANS cybersecurity training organization’s disclosure of a data breach in which approximately 28,000 records of PII were forwarded to an unknown external email address as a result of a phishing attack, a cybersecurity expert offers perspective and recommendations.

Notify of
6 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Niamh Muldoon
Niamh Muldoon , Senior Director of Trust and Security EMEA
August 13, 2020 10:50 am

The SANS Institute data breach demonstrates that no organisation is exempt from cyber attacks. Security awareness training is fundamental to tackling phishing attempts but this needs needs to be continually implemented, ensuring employees are aware of the latest threats. It should not be a one-off instance. Individuals should also apply the S-T-O-P principle: (1) Stop- (2) Take a Deep Breath- (3) Opportunity to Think- (4) Put the email into Perspective and report the phish. Moreover, organisations need to be aware that even this is not full-proof. Even with constant security training and awareness programmes, 12% of end-users will continue to be exposed to phishing threats. As such, organisations should be adopting multiple layers of protection, utilising trusted products and service offerings to reduce the phishing risk further.

Last edited 3 years ago by Niamh Muldoon
Jamie Akhtar
Jamie Akhtar , CEO and Co-founder
August 13, 2020 10:48 am

It is ironic and disappointing to see this happen to a cybersecurity training organisation, but not all that surprising. The majority of breaches like this are through employee error within companies. Phishing attacks are becoming increasingly sophisticated in the ways that they masquerade as legitimate sources and while anti-phishing software can help stop many of them, others will always get through. Equipping employees with the skills they need to prevent breaches is absolutely essential for businesses today- particularly as they transition into a hybrid remote/office work environment where there are less in-built checks on employee security. People need to be on the lookout for spelling and grammatical errors, overpromising and eager messaging, pop-ups and urgent deadlines or calls to action. They should also look carefully at who the email is from. Phishing attempts often use the name of someone they know (a colleague or friend, for example) but with the wrong domain address. If the email contains a link, you should verify its SSL credentials and never give out personal information on a site that does not have a valid SSL certificate. If an employee or business realises they have been breached, they should immediately take action by changing their personal password and alerting employees in the rest of the company.

People can help prevent the spread of these large-scale attacks by immediately reporting suspicious messages to Suspicious Email Reporting Service (SERS): which support\’s the government\’s Active Cyber Defence programme.

Last edited 3 years ago by Jamie Akhtar
Jake Moore
Jake Moore , Global Cyber Security Advisor
August 13, 2020 10:46 am

Phishing scams remain extremely common, and this latest breach shows that cyber criminals are not even afraid of cyber security institutes when targeting organisations. Clever spear phishing attempts are designed to deceive even those who are aware of them; in the moment when reading something which mounts pressure on you to verify or give up information, it can be easy to trip up and overlook a scam with no obvious clues.

Verifying emails has never been more important, and remains your best bet in beating the fraudsters. Companies that don\’t have the proper security procedures in place can often leave themselves and their customers vulnerable to social engineering attacks, and constant delivery of training is also vital to make people continually aware of the problem and raise a zero trust policy. Companies must limit the amount of employees who have access to personal information to reduce the possibility of a breach.

Last edited 3 years ago by Jake Moore
Troy Gill
Troy Gill , Manager of Security Research
August 13, 2020 10:43 am

This goes to show that no organisation is immune to cyber attacks, in particular phishing. Not even an organisation as trusted and qualified as SANS. Malicious actors with a variety of different motivations are known to engage in this sort of activity. They may also have been planning a BEC (or ATO) type of scam, such as a wire fraud. Or they may have been looking to utilise the account to launch further malware attacks against SANS itself or other organisations by leveraging the account. One group that systematically performs the latter is Emotet.

On July 17th Emotet returned with a vengeance from the hiatus they had been on since February. As a refresher, Emotet is a modular banking trojan that utilises a worm spreader module and brute force attacks to spread across a network once the foothold has been established. They rely heavily on Conversation Hijacking Attacks to spread their initial infections.

Emotet slightly surpassed Dridex in total volume over the past several weeks by attempting to attack customers with both malicious attachments and malicious URLs. They have been scraping previous email conversations and replying back to those with an Emotet dropper over the past year. However, they have also begun including previous legitimate attachments from the prior email conversation (along with a malicious link in the body of the message) to add the appearance of authenticity to the recipient and increase infection efficacy.

Last edited 3 years ago by Troy Gill
Ilia Kolochenko
Ilia Kolochenko , Founder and CEO
August 13, 2020 10:41 am

I don’t think that we should hold SANS accountable to the same standard of security and data protection as we impose on, let’s say, financial institutions and other highly regulated industries. Otherwise, their training would become exorbitantly expensive and few organizations will be able to afford them, causing a domino effect of global insecurity and poor awareness. Like many others, SANS seems to fall victim to unforeseen work from home (WFH) measures that have undermined many security mechanisms and controls readily available in the office.

The breach of one single email, however, should not lead to such a significant exposure of PII data, even if it’s a drop in the ocean of disclosed data breaches from the last 18 months. Attackers will now gradually focus their attention on cybersecurity companies and organizations to get their clients\’ privileged information or credentials. The rapid and transparent reaction of SANS to this incident is laudable and professional. Moreover, this fairly insignificant incident will now likely boost internal security at SANS and provide additional confidence to its clients and partners.

Last edited 3 years ago by Ilia Kolochenko

Recent Posts

Would love your thoughts, please comment.x