Cybersecurity experts commented on the news of the Cash App data breach.
Over 8 million Cash App users possibly affected by data breach from a former employee https://t.co/GCxBmbV1PA via @jordan_mendoza5 @usatoday— mikesnider (@MikeSnider) April 6, 2022
Over 8 million Cash App users possibly affected by data breach from a former employee https://t.co/GCxBmbV1PA via @jordan_mendoza5 @usatoday
The data breach incident that Block disclosed about a former employee who downloaded highly sensitive customer information accentuates the threat posed by the “inside job.” We often focus on threat actors working on the outside of our perimeters trying to get into the enterprise environment and thereby compromise data, but people on the inside have a leg up because usually, they have some access to the internal network environment and IT resources.
What we learn from such incidences is that our focus should be on protecting the data itself. Consider more data-centric methods of protection such as tokenization or format-preserving encryption, which obfuscate sensitive (and valuable) information no matter who has access to it. Businesses should also adopt security stances like Zero Trust, which denies implicit trust to users, devices, and other entities regardless of their location within the network. Don’t trust and always verify!
The CashApp data breach reminds us that many data breaches are an inside job. Disgruntled employees sometimes decide to download and steal company and customer data as revenge, or they are enticed into stealing data by financial offers from outside bad actors. Companies need to immediately revoke any former employee\’s access to data as soon as the employee\’s employment ends. Failing to revoke a former employee\’s access can lead to stolen data or other fraud.
While investigations of the Cash App breach are underway, leaving many unanswered questions on the \’how\’ this happened — it\’s actually not as shocking to hear that it has, as some may think. In fact, there are numerous ways that this could have occurred, one of which is due to unrecognized privilege sprawl — a factor that all companies should have top of mind.
Privilege sprawl is the always-on, always-available administrative access. It occurs when administrative, or special rights to a system, have been over-provisioned and granted to too many people within an organization.
Company admins need access of course, but the 24x7x365 standing privileges that come with the \’always-available\’ approach are what get companies into hot water today, compounded by access that isn\’t de-provisioned when it really should, as the breach with the Cash App illustrates. Whether related to lax procedures, a lack of consistent oversight, or the fear of causing disruption to established processes, the proper de-provisioning or termination of privileged access is often neglected or mismanaged, including when a person exits a company.
Unfortunately, this is an issue growing in the dark of companies, quietly amassing to significant proportions and key to successful lateral movement attacks, which they don\’t even realize until it\’s too late.
For those looking to address privilege sprawl, it\’s important that they implement a \’Just-in-Time\’ approach with multi-factor authentication (MFA). This grants privileges only as needed for a set amount of time, and minimizes the sprawl that ultimately exposes companies to potential breaches.
Insider threats are a risk that does not get enough attention. Disgruntled or negligent employees can have a big impact on security. Organizations must limit access to what is specifically necessary for the role, put in audits for access, and tools to limit data leakage. If the data is important to you, it is important to an attacker too.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics