Following the news about the cyber attack at Three Mobile that potentially placing six million users’ information at risk, IT security experts from InfoArmor, Balabit and Duo Security commented below.
Christian Lees, CTO and CSO and InfoArmor:
christian-lees“As organizations continue to bolster their security postures at the perimeter / public offering, it’s logical for threat actors to migrate to and even expand internal lateral movement campaigns often fueled by compromised credentials. Compromised credentials are widely available, low cost and offer a low likelihood of detection to the threat actor.”

.

.Istvan Molnár, Compliance Specialist at Balabit:

istvan-molnar“Information surfaced that the hackers used a legit login or password in the Three Mobile breach. While the method of obtaining these credentials is unknown it is evident that it allowed them to gain hold of several clients’ personal information and 6 million customers’ personal data is put at risk.
“Hackers tend to use this method as it is the easiest way to stay under the radar and as more and more data breaches involve user account misuse in this term we should address the elephant in the room.
“This issue also highlights that one-off authentication methods such as passwords on their own are simply not enough to protect sensitive data. It must be complemented with continuous identification: a method to not only identify the account once, at the beginning of the session, but the user operating under those credentials. It is important to have real time information on the user’s behavior so that is then compared to the already learned behaviors of known user profiles. Continuous authentication is achievable via machine learning based systems which are capable of pinpointing user related anomalies and potential data breaches.
“In the case of Three mobile, the system would have recognized the difference in the user’s typing pattern, use of command set and accessed network areas. This information would have appeared on the security analytic display and if the situation got worse the system would terminate the connection of the suspicious user in real-time.”

Steve Manzuik, Director of Security Research at Duo Security:
steve-manzuik“This is a great example of why two factor authentication is a key defence in preventing attacks. If this organization had two factor authentication in place – the attack would not have been able to proceed beyond obtaining the employee credentials. The details of this scam also raise other security questions such as why this type of data is easily accessed by any employee via the Internet and why isn’t PII better protected, even from employees. However, despite those failings, two factor authentication would have prevented this attack.”

Information Security Buzz