In response to the news broken by TechCrunch that a development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects, including its SmartThings platform.
Brian Higgins, Security Specialist at Comparitech.com:
“This is a classic, although devastating example of insider threat. Not all data breaches are malicious in nature. Human error is the primary contributor in a large proportion of cases, but if you happen to be ‘patient zero’ in an embarrassing and potentially costly breach such as this, the potential impact can be very wide-reaching indeed. Reputational damage, loss of clients and revenue, consequential risk to jobs and careers all combine to pile pressure on the culpable.
In situations like this, incident response is a good measure of corporate maturity. It’s easy to fire people in the hope that you “scare” your remaining team into preventing it from happening again. It’s more difficult to re-group, re-train and learn from your mistakes. Given their privileged access rights, those responsible for this breach are probably very talented individuals, so it will be interesting to see which course of action Samsung decides to take.”
Steve Armstrong, Regional Director, UK & Ireland at Bitglass:
“Any data repository needs to have appropriate controls around the data. The first pillar has to be identity – it’s critical that access to data, source code in this case, is restricted to only those with the correct identity. Secure configuration of services should be next. It’s imperative that underlying infrastructure should be configured against best practice process. Basic cyber hygiene is critical to ensure that simple mistakes such as publicly exposed data repositories do not happen; with data sprawl across collaboration platforms it can be difficult to ensure integrity of the service – there needs to be a stringent approach to applying appropriate controls to all sensitive data.”
Ilia Kolochenko, Founder and CEO at ImmuniWeb:
“Unfortunately, today many other large companies unwittingly leak their source codes and other sensitive data via public code repositories, social networks, Pastebin and many other communities on the web. Often, the source code contains hardcoded credentials, API keys, detailed information about internal systems like CRM or ERP, let alone intellectual property owned by the organizations.
Outsourcing of software development to third parties tremendously exacerbates the problem. Remote developers may recklessly share, send and store your source code without any protection or care. For a while already, cybercriminals glean leaked data from public websites, frequently securing a windfall. Ultimately, growing investments into cybersecurity are ruined by insecure software development processes.
Organizations should conduct a holistic risk management assessment of their suppliers, foremost on software development companies. Comprehensive and measurable policies and procedures should be enacted and monitored on a continuous basis. Otherwise, you just leave the keys to your digital realm in the front door.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.