The article in SC Magazine indicated that a twitter posting with a link was the catalyst behind the attack. As a result, the link compromised a web server supporting Intel’s resource and design center which is used to share documents between Intel and business partners. Intel responded to the report, stating they did not believe the attack was facilitated through an exploited server. Intel issued the following statement:
“We are investigating this situation. The information appears to come from the Intel Resource and Design Center, which hosts information for use by our customers, partners, and other external parties who have registered for access. We believe an individual with access downloaded and shared this data.”
The source of the link also stated that password-protected copies of the folders were most likely already making their way around the internet and posted a password believed to unlock the folders. To add insult to injury, the source has insisted that the password was already on the files when breached.
Regardless of what really happened, this web server breach could have been avoided by implementing the most basic security controls.
Protect Your Data From Web Server Breaches by Bad Actors
These three basic defenses could have protected Intel and they can protect your web servers too.
- Perform scheduled vulnerability scans. Employ scanning solutions such as one by Qualys or Tenable according to the defined patching schedule or whenever a web server is deployed or a major change to the system is implemented to ensure you did not accidentally open any holes in your network during the change process.
- Use benchmarks to securely configure server images, network devices, and databases. CIS benchmarks or similar standards such as the Department of Defense security technical guidelines are free to download. They serve as an excellent guide for hardening your network assets against common threats. They also enable security logging so that your system administrators can research potential security events. This process can be automated using a configuration management solution like Puppet.
Perhaps you’re wondering how you can monitor the hundreds of servers, firewalls, databases, and cloud environments being used by your organization? If you’re thinking it’s impossible, you are correct!
In fact, it may be almost impossible for you to even read them. We’ve come a long way in security event logging but unfortunately, even if your devices are configured correctly, your logs will not generate a message that says “A hacker infiltrated me at 3 pm using CVE-101 and scraped your entire customer database, please send help and have a nice day. Also, call your lawyer.”
An individual device log won’t have all the information you need to investigate a security incident.
We can take a physical world example, a jewelry store robbery, to illustrate the challenge. First, think of the devices in your network as witnesses. Your database and application servers are like people inside the store – they may see the robbers scoop up the jewels but couldn’t tell you what car they were driving. Your web servers are akin to customers standing outside the store – they may see the direction the robbers went but wouldn’t be able to tell you what they took or that the robbery even happened. And if your logs aren’t enabled, they aren’t going to tell you anything. So, what do you do?
This takes us to the third basic defense.
- Implement a Security Information and Event Management system (SIEM). Alienvault AT&T Cybersecurity solution (formerly known as AlienVault) or LogRythm are examples of SIEMs. These tools aggregate and correlate all of your device logs to create a clear picture of who is doing what in your logical environment. “Clear” being a relative term – any IT component requires expertise and core competency to configure and operate effectively. Just as applications require developers, databases require DBAs, SIEMs require security analysts. Hiring experienced resources or outsourcing the service to a dedicated security operations center providers (like Abacode) will help to ensure your SIEM is doing its job.
Back to the Intel story. Intel claimed the data was stolen by someone with access. In that case the SIEM – again if configured correctly – should be able to provide a listing of users that accessed and downloaded the stolen data. That should be enough to identify the perpetrator. Start with these three practices to keep data secure.
- Review access listings to sensitive data to ensure only those with a valid business need have access. The larger an organization is, the more likely that access to sensitive data is provided to someone that doesn’t need access, or no longer needs it. Employees get transferred, are terminated, and if your IT, HR, and vendor management functions aren’t communicating effectively that access list will be much longer than it should be.
- Ensure third party organizations with access to your sensitive data run background checks on their employees, require non-disclosure signatures, and provide security awareness training. This may not catch every bad actor that a supplier unintentionally grants access to your data, but it will at least give you recourse. Also, it’s reasonable to assume supplier organizations that agree to enforce these controls take web server breaches and cybersecurity seriously.
- Install a data loss prevention (DLP) solution to help prevent exfiltration attacks. DLP works by tagging sensitive data. Tagging helps prevent the data from being copied off of the network or in some cases, tracking it even after it leaves your network. DLP won’t solve every problem. The entire point of Intel’s partner network is to share this information.
Every organization can afford to deploy these basic defenses. Failure to implement basic defenses leads to extremely expensive and unpleasant consequences.
Take This Cybersecurity Step Next
Start by becoming familiar with security standards such as NIST 800-53 and ISO 27001 which have done all the heavy lifting for you. There are standards for every industry and vertical out there– some of them free, some of them are proprietary. Download and review the standards on our website to start creating an effective security program for your organization.