Cyber security: a marathon, not a Sprint

A case study contributed by Javvad Malik, security awareness advocate at KnowBe4.
Published: Thu 01 Aug 2019

In a letter to customers, US mobile operator Sprint stated it had been informed on June 22nd that there had been unauthorized access to their account via the "add a line" website. There notification contained the obligatory "Sprint takes customer's privacy, very seriously." but unfortunately, beyond that, there was little information of value.

A breach of trust

In today’s day and age, breaches happen on a daily basis. They are the cost of digital business. Even the most secure organizations in the world can have a breach or some form of data leak. However, whenever an incident occurs, a response plan starts off by asking the basic questions of who? What? When? Were? And How? If the answers to these aren't clear, or the company is not transparent with their findings, customers can lose trust in a brand.

When we look at the notification letter that Sprint sent to its customers, it didn't answer these fundamental questions. It couldn't say how long the data had been accessed for, how many accounts were breached, how they were notified of the breach, or the details of how the hackers gained access beyond accessing through the Samsung "add a line" website.

The information given to customers in these circumstances is about as useful as shaving foam is to a Wookie. And the crux of it becomes that customers don't necessarily lose trust because a breach occurred, but because a transparent and open account of the incident and response wasn't provided.


Add a line, gain access

Sprint mentioned that access was gained by the "add a line" website. However, the issue here is larger than just one website. It represents the larger problem of not managing access given to third parties. Customer records are one of the most sensitive records a company can hold. So, it needs to be protected appropriately, not just with strong access controls to prevent unauthorized access, but also with vigilant monitoring capabilities so that any authorized access is appropriate.

When access to sensitive systems is given to a third party, or even any department within a company, the access needs to be locked down. While a company can ask that third parties adhere to certain security standards, and even conduct assurance activities, it needs to accept the fact that these are uncontrolled external systems, and therefore should be secured as such.

Risky business

Many times companies will downplay the impact of a breach. Reassuring customers like flight crew asking passengers to remain calm and put their seatbelt on during heavy turbulence. In the notification, Sprint informed its customers that the following data was breached: phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility, first and last name, billing address and add-on services.

It continued, "no other information that could create a substantial risk of fraud or identity theft was acquired." Which begs the question as to how much more information was there to acquire?

Even this breach contains a lot of information used by companies to verify customer identities. So, the risk may not be as low as the company claims. Even if this set of data alone is low risk, customers should bear in mind the ‘chemistry of data’ effect. Whereby seemingly inert elements of data can be pieced together to form something more valuable than the sum of its parts.

Getting to the finish line

To paraphrase Thomas Edison, security is often missed because it is dressed in overalls and looks like work. Where a breach cannot be prevented, companies should be able to quickly identify and reliably investigate a suspected breach. While this sounds great in theory, unfortunately, none of these aspects are simple or easy.

Having said that, good practices of defense in depth apply, separating critical data from other departments and especially third parties, having robust access controls and monitored remote access. Having good identity and access management is also essential, as well as strong authentication such as 2-factor.

Conducting third party assurance on a procedural and technical level can also help reduce the overall risk. Monitoring capabilities are also needed, both from a tooling perspective, and by having skilled staff.

While putting these in place can be costly and time-consuming, they are necessary, only then can a company not only reduce the likelihood of a breach occurring, but when it does occur, allow the company to answer the all-important questions of Who? What? When? Where and How?

A cultural change

At the end of the day, having security embedded throughout the people, process, and technology of an organization is a cultural change. The corporate culture should not just allow, but actively encourage the inclusion of security within every facet of its operation. The risk should be assessed appropriately, and the right actions be taken. We've seen with recent breaches such as Equifax, and British Airways, breaches have led to record-level fines. These fines were levied not just because a breach had occurred, but because there were systemic security failures throughout the organization.

Many traditional companies that have embraced the digital revolution at a slower pace than others have a culture that resists such a change. This makes it even more important that this change occurs - even if it appears to be a costly investment. To quote Jake Williams, "if you have business, and that business makes money, someone is going to target you eventually. If you aren't doing cyber security because "we can't afford it" I have some very bad news for you: your business isn't really profitable anymore."