My mom always said it never hurts to ask, and it looks like the Magnolia Healthcare hacker’s mom did so as well.
I gotta admit, as a hacker, you work hard for your ill-gotten booty. You meticulously design phishing emails so realistic that victims can’t help but be enticed to click on the poisonous links. You then install credential-stealing software on the unsuspecting victim’s laptops, and establish surreptitious command and control channels through which you can execute your sophisticated attack.
Patiently, you probe the target network, searching for the elevated credentials that are the holy grail of successful breaches. You then use these hijacked privileged credentials to search thousands of files and folders for valuable, sensitive data, often spending weeks, months, or even years on a single attack.
Eventually, after all that effort, you find the highly sensitive spreadsheet listing all employees and their personal information. Whew…that was exhausting.
You know. You could have just asked for it.
That’s exactly what the Magnolia Healthcare hacker did (http://www.hipaajournal.com/magnolia-health-victim-of-email-spoofing-phishing-scam-8314/). Fashioning an email that appeared to be sent from the CEO of Magnolia, the attacker simply asked an employee to email a copy of the active company employee spreadsheet, replete with names, social security numbers, dates of birth, home addresses, dates of hire, job title, salary, and more.
Unsurprisingly, the employee sent the “CEO” exactly what he asked for.
The mother of all hacking shortcuts. Someone push the Staples EASY button.
Clearly, these kinds of well-researched and clever attacks are difficult to prevent, and recommendations will fly in from all corners for more employee training, training, and more training. And we agree. More training may help.
Be that as it may, another defense tactic could be more effective. Certainly, we don’t know anything about the employee that emailed perhaps the most sensitive file in the company to the hacker, and it’s very possible they had every reason to have access to that file. Perhaps the employee was a senior-level HR executive, or an assistant of such a senior individual. But maybe not.
Let’s ask ourselves who should have access to such a file? Two or three people, perhaps? OK, maybe 5 or 6, but not many more than that. And how much would you like to bet that if we listed the employees with effective access to that file, the number would be much higher than 5 or 6? How many would be employees no longer with the company but still with active credentials? How many would be former HR team members that have moved to other departments?
We’ll never know for sure, but I can tell you we encourage our customers to play the “who has access” game. Ask a manager to list all the people that need – and therefore should have – access to a sensitive file. Then show them who, at that moment, actually has effective access. It never fails to drop jaws.
So before you invest millions in IAM, SIEM, PIM/PAM/PUM, UBA, or any number of growing cyber security acronym-ed products, start by simply making sure that only the very few that require access to your sensitive data actually have it.
We can help you do that in no time.