September Security Snippet

The National Public Data Breach

Last month, National Public Data had nearly 3 billion records of personal data exposed, including names, addresses, and social security numbers. How the hackers got the data is not officially released. However, the incident was further exacerbated from storing old website data along with usernames and passwords in a publicly accessible website, in plaintext. See this article from KrebsOnSecurity for more detailed information.

What can you do to help prevent breaches?

• Keep data encrypted at rest

• Never keep passwords in plaintext

• Change default usernames and passwords

• Enable Multi-Factor Authentication (MFA) wherever possible

• Go to a website directly in the browser, rather than clicking on links in an email

How can you protect yourself from the breach?

• Freeze your credit with TransUnion, Experian, and Equifax if you have not already

  • You can unfreeze your credit temporarily (thaw it) or permanently when you need to use it.

• Be wary of calls and emails requesting sensitive information. If you receive a call, you should never be asked to confirm your SSN.

  • If you receive a call requesting for you to confirm sensitive information, hang up and call the company’s official number retrieved from a reliable source, such as their website. Then an employee asking for confirmation of sensitive data is less of a concern, assuming the company should have this information in the first place.

AT&T’s FCC Settlement

Tech giant AT&T recently settled an FCC investigation for $13 million. This settlement spawned from a breach in 2023, which exposed millions of customer’s data. The incident occurred due to a breach of a third-party vendor handling AT&T’s customer data. This incident is not to be confused with July 2024’s breach notice, which included nearly all AT&T customer’s data. The costs associated with the newer breach are yet to be seen. Both of these breaches, however, involve third-party vendors being breached and having data that should no longer exist.

Vendor Risk Management

This brings us to the topic of vendor risk management. As an organization, it’s important to know who your vendors are, what data you are giving them, how they are securing the data, and how long they store it (data retention). Each vendor should be assessed for risk, and it should be done at least on a yearly basis. This is especially true when they have any company data or if they allow access to an internal network. Templates can be used to gather relevant information on each vendor and give them a standardized score to see which vendor best lines up with the organizations needs. It can be costly to switch vendors, so the earlier you can get the risk assessments done to compare vendors, the better.

AI Security Concerns

Artificial intelligence, or generative artificial intelligence (gen AI), is a system capable of generating content using, sometimes incomprehensibly, large data sets based on a users input. AI models are trained by data models that often use “black box” decision trees, which means no one really knows how the specific input produced a specific output. There have been a few notable instances of AI producing undesirable or inaccurate results. If you are not paying for the usage of an AI system (and sometimes even if you are), your inputs are most likely saved by the system. See this article from Tech.co about ChatGPT’s data collection. This means that any inputs containing sensitive or proprietary information could be exposed to an indeterminate number of people and could potentially cause regulatory and/or legal issues. AI is also an area of concern for use with development and coding. Normally, you have to prompt the AI to include security in the code provided by the system. If users are not aware of secure vs insecure coding practices, that could put your organization at risk.

So what does this all mean? Should an AI system be developed internally? Can employees use AI to generate text, code, images, or other content? Every business needs to decide for themselves where and how GenAI should be used. Policies should be implemented to determine usage and restrictions and users should be trained on the policy.

MFA and reducing breaches

Multi-Factor Authentication (MFA) or, less commonly 2-Factor Authentication (2FA) is becoming increasingly easy to implement and provides one of the best security measures to prevent breaches. Keep in mind no one security measure is a guaranteed way to prevent breaches, but each measure adds to your defense-in-depth strategy. MFA provides an additional step in the authentication of a user before they are granted access to a system. There are many types of factors that can be used, but generally it falls under one of: One-time password (like email, text messages, or authenticator app), biometrics (for example, face or fingerprint), or physical (such as Yubikey, Common Access Card/Personal Identity Verification CAC/PIV card, etc). More recently, there has been a shift towards phishing-resistant MFA.

What is Phishing-resistant MFA?

Phishing-resistant MFA uses a factor that an attacker cannot gather from a user to allow the attacker access to a system. Phishing-resistant MFA requires a cryptographic key to log in or gain access to a system. Let’s look at a couple of scenarios:

A standard One-Time Password (OTP) MFA code is sent to the user as a 6-8 character code via text messages. The attacker impersonates the company and tricks the user into provide the code. Now, the attacker is able to successfully log in to the system.

A system is safeguarded by a PIV card. The card is plugged into the computer, a PIN is requested to unlock the cryptographic keys on the card, and then the system communicates with the application to authenticate the user. If the attacker impersonates the company and is somehow able to get the user’s PIN, they will not be able to replicate cryptographic keys physically plugged into the user’s computer. So a CAC/PIV card is phishing resistant. Phishing resistant, not phishing proof, since the attacker may still be able to get the user to install malware or to provide sensitive information.

SANS has a good blog post on phishing resistant MFA if you would like to learn more.

If you’re confused or have any questions, we would love to help guide you through your security journey. Contact us to schedule a consultation