Singapore telecom company Singtel informed customers that its file-sharing system called FTA was it with a cyberattack. The company statement said the system was “illegally attacked by unidentified hackers. This is a standalone system that we use to share information internally as well as with external stakeholders. Accellion has informed us that this incident is part of a wider concerted attack against users of their file-sharing system. Cybersecurity experts offer perspective.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>The breach experienced by Singtel is another harsh reminder of the dangers organisations face when sharing customer data with third parties. When the technology used to transfer data possess poor security, it impacts consumer privacy, can result in security breaches and irreparable brand and financial damage.</p> <p> </p> <p>Companies therefor need to establish a new and secure way where they can safely exchange data with their partners – without compromising security. One of the biggest trends we are seeing is the adoption of data safe rooms, which take a walled garden approach to data sharing. This is by far a better way to collaborate and exchange data with third parties and is much more secure that using outdated technology with unknown numbers of security vulnerabilities.</p>
<p>In the vein of what we witnessed post FireEye breach at the end of 2020, the fallout from this has the potential to be significant, especially for a company as high profile as Accellion to be associated.</p> <p> </p> <p>Much like the response we saw from FireEye back in December, the key here will be for Singtel to ensure transparency with it customers and stakeholders, regarding how this breach may impact them and the support and precautions necessary for clients to manage potential risks.</p>
<p>Business leaders and organizations need to take time out of their day to carry out due-diligence in relation to the Accellion breach. This will help them determine the likelihood of their exposure to the breach and establish the full use of Accellion in their organizations.</p> <p> </p> <p>It\’s critical to ask each business leader if they are using an Accellion account belonging to a customer, partner, and/or vendor organization to send or receive shared files. An organization may not be directly exposed to the breach, but they could be using the Accellion version of the agent\’s organization which is exposed. It is important to incorporate access control and data lifecycle management into the risk assessment by asking about past data/files transfers, and whether those files have been properly managed, such as having access removed when it is no longer required.</p> <p> </p> <p>The results of the cross-functional risk assessment will determine if the organization is vulnerable per the versions of Accellion exploited by malicious attacker/s. Having your security and/or technology organization monitor and track official communications issued by Accellion will allow them to keep up-to-date. This is especially important because as the investigation continues more data will become available which may impact the associated risk to your organization, and require your organization to take more actions to reduce risk. If you are unclear from official communications where your organization is using a vulnerable version of not, reach out to Accellion for clarity – don’t just assume its ok.</p>
<p>The breaches revolving around Accellion’s decades-old software—most recently affecting Singtel—underscores several points about effective cybersecurity. With older, legacy software embedded within your operations, always work with vendors to update frequently or replace software that works with sensitive information, regardless of the potential costs. The risk of exposure is too expensive not to factor into your decision-making and capital expenditures.</p> <p> </p> <p>In addition, take data security seriously, because even if you don’t, the regulators certainly will make sure you do. Reconsider your defensive posture and the tools you use to thwart intentional or even unintentional breaches and data leaks. Ask yourself: am I protecting borders and perimeters around sensitive data, or am I protecting the actual data itself? The latter, which is known as data-centric security, ensures that no matter where data goes (even if it falls into the wrong hands) it remains protected and the sensitive nature of the information obfuscated. If data security is not on the mind of your IT professionals at all times, then an unfortunate data-related incident might be just around the corner. And you don’t want to go there.</p>
<p>The key here is to note that hackers are usually INSIDE the enterprise, undetected for a long time. F5 reported in 2021 the average time it takes to discover a \":credential spill\" is 327 days.</p> <p> </p> <p>By this time, we have to assume that an attacker is going to penetrate our network, servers, applications in some form or another. Billions of scans are running daily – looking for known, published vulnerabilities. Chances are one of our systems is not fully patched or even SHIPPED w/ a vulnerability (e.g. SolarWinds). Thus what\’s our defense? We have to be able to detect the actions of these attackers. </p> <p> </p> <p>It is known conduct in the attacker\’s kill chain that the hacker will usually do the two following actions: conduct lateral movement across the enterprise (to find valued resources) and to escalate their own privileges (say to admin account) to help move to all resources have the privileges necess to exfiltrate the data.</p> <p> </p> <p>These privilege escalations are detectable if the enterprise is conducting regular and triggered access and privilege reviews. This is what a cloud identity governance product can do for the enterprise. It is imperative to an enterprise to have regular reviews and be dynamically triggered when privilege escalations are occurring.</p>