Sage Software Firm Hit By Data Breach

A data breach at large UK software company Sage may have compromised personal information for employees at 280 UK businesses, it is understood. Police are investigating the breach and Sage is probing the “unauthorised access” of data by someone using an “internal” company computer login.

IT security experts from ESET, Lieberman Software, AlienVault, MIRACL and Certes Networks commented below.

Mark James, Security Specialist at ESET:

“One of the weakest links in any organisation are the users, you can have as many security features as you like but most of the time someone somewhere needs access to it in one way or another. If that user gets compromised or joins the dark side then that data could be at risk. Of course there are lots of things you can do to make it difficult; making sure only some of the network is accessible through segregated access, masking certain stored information to ensure it’s not viewable in its entirety. Encrypting the data that’s stored in the databases and of course making sure that every single task or keystroke is audited. But typically your admins will need to access a large chunk of that data to keep it happy and accessible for all, insider threats are on the up, it’s no longer sufficient to assume your biggest threats are from external attacks.”

Jonathan Sander, VP of Product Strategy at Lieberman Software:

“The Sage breach is a reminder that despite all the headlines about bad guys trying to break in there is an ever present danger from within, too. Often firms spend tons of money protecting against outsiders getting in, but fall into the “we trust our people” tap when it comes to insider threat. The trouble with trusting staff is that they’re likely worthy of that trust until the moment they become disgruntled – and there’s no way to see that moment happen. Every organization must shift to a least trust model for inside security, and even make the goal zero trust. Every scrap of sensitive information should be under a least permission model in files, folders, email systems, and inside applications. Very rigorous process must be applied to IT administrators and the privileged access they have because it can bypass all your strong security if you’re not careful.”

Javvad Malik, Security Advocate at AlienVault:

“Insider threats are a growing concern for many companies. Ever since Edward Snowden became the poster-child to showcase the immense damage a motivated malicious insider can cause, more efforts have been put into understanding, preventing and detecting this threat.

We can define an insider as an individual with legitimate access within the corporate perimeter – be it physical or virtual. This would include permanent and temporary employees, 3rd party contractors as well as 3rd party support companies and outsourced service providers.

Typically, a threat is defined as something or someone exploiting a vulnerability in a target. In the case of insiders, this can be reframed as someone abusing their trust.

Detecting insider threats are not as straightforward as blocking attacks at the perimeter. Like many security controls, the concept of defense in depth can be applied where a collection of procedural, user, and technical controls can be applied to detect suspicious activity.”

Brian Spector, CEO at MIRACL:

“Personal and financial data is one of the most valuable commodities on the Internet today. This kind of data fuels the multi-billion dollar business of identity fraud on the dark net, and is therefore a prime target for any hacker, or motivated insider, to exploit.

But whether this particular incident was motivated by financial gain, or some other motive, the breach suggests that inadequate security measures were being used. Using old technologies such as username and password, it’s pretty easy for a hacker or insider to steal the relevant credentials and gain access to sensitive data. In reality, any organisation that houses such a treasure trove of financial data should be using stronger security measures such as biometrics or multi-factor authentication, to prevent such ‘unauthorised access’ to data. The username and password system is old technology that is simply not up to the standard required to secure the deep information and private services that we all store and access online today. By contrast, new, secure methods of multi-factor authentication can make database hacks, stolen credentials, password reuse and social engineering a thing of the past.”

Paul German, VP EMEA at Certes Networks:

“The fact that Sage does not know the full extent of the data breach shows that the company does not have adequate segmentation in place. Quite simply, if Sage had cryptographically segmented its security system into predefined and clearly understood fragments, the breach would have been more manageable, instead of system wide, and Sage would know the parts of the network infrastructure that have been hacked. Sage should have a crypto-segmentation strategy in place, which would ensure that all sensitive application flows inside and outside the perimeter are encrypted, creating a clean and unbreakable link between each user and the permitted data and applications. As a result, if a breach does occur, the hacker is limited with the information and data that it is able to exploit.

Additionally, it must be asked as to how this breach was able to happen in the first place. Why could an internal user’s login permit access to confidential customer data and why wasn’t it stored in an encrypted format? This attack shows the need for organisations to adopt a Zero trust strategy, which assumes that there is no such thing as a trusted network or IT environment. Instead, every user, device, network and application must be treated as untrusted, and all enterprise systems should be considered already compromised.”