Arraya Insights | March 13, 2019
Last week, Citrix became the latest victim of a high-profile data breach while Equifax, a perennial cyber security punching bag, was raked over the coals by Congress. Both stories represent valuable learning opportunities for organizations seeking to avoid a similar fate. Let’s review each story, then we’ll share some insights into how companies can protect themselves.
Passwords exploited to trigger Citrix data breach
In a recent blog post, Citrix CSIO Stan Black announced the global software provider was investigating unauthorized access to its organizational network. Black’s brief post stuck to the basics of the incident. It detailed how, earlier this month, the FBI alerted Citrix that international cyber criminals had breached the company’s defenses. Later, the post mentioned that attackers utilized a technique called password-spraying. Basically, they attempted to access a large number of accounts using a small list of common passwords. Once inside, they used this initial foothold to gain greater access to Citrix’s network. Also in his post, Black confirmed that, while the company’s investigation is ongoing, it appears attackers accessed and downloaded business documents.
Industry news outlets and observers shared a few more details. For example, Resecurity, a security firm that claims to have alerted Citrix of the situation back in December, identified the attackers as the Iranian-backed IRIDIUM, which has made a name for itself targeting governments, utilities, and technology companies. Additionally, the firm believes attackers accessed at least 6TB of sensitive internal Citrix data, including emails. For its part, Citrix did stress there’s no sign the breach touched any products or services.
Resecurity also theorized the attack was a decade in the making. According to the firm, IRIDIUM hackers may have been lurking inside Citrix’s network for nearly ten years. They also believe the actual theft took place over two months, timed to coincide with the holiday season.
Equifax called out by Congress for its data breach
Since suffering a data breach dubbed “the biggest failure to safeguard public data to date” in 2017, Equifax has been locked in the angry glare of the American public and media. Most recently, it was the Senate Permanent Subcommittee on Investigations’ turn to tee off on the credit bureau. In a rare display of bipartisanship, the subcommittee tore into Equifax via a recently released report.
Among the report’s most cringe-worthy moments? A critique leveled against Equifax for allowing a “broad culture of complacency toward cyber security preparedness” to take root. No business wants that reputation in 2019. Not even one that consumers are powerless to disassociate themselves from. The subcommittee’s report comes at a time when demand for a national cyber security and data privacy standard is on the rise. Although, it remains to be seen exactly what, if anything, will come of this increased call for data regulation.
4 security best practices Citrix & Equifax may have overlooked
No organization wants to end up the victim of a data breach, but in at least one way, Citrix and Equifax can count themselves lucky. Why? Both of these organizations are large enough to take these incidents on the chin and survive. Not all businesses can say the same. In fact, research from the National Cyber Security Alliance indicates 60% of SMBs burned by cyber criminals go out of business within six months. Given the existential threat posed by data breaches, we wanted to highlight a few areas where Citrix and Equifax fell short in order to help others avoid doing the same:
- Two-Factor Authentication (2FA) – Techniques like password-spraying are only effective as standalone methods of attack if 2FA isn’t in place. Best practice is to roll out 2FA for all users, at every business level. This ensures hackers are going to have to work much harder to breach an organization’s perimeter defenses.
- Patching schedules – When IT gets busy, patching schedules are an easy thing to set aside. Easy, but not safe. The risks of doing so are demonstrated by Equifax’s incident and were put on blast in Congress’s report. If onsite IT doesn’t have the bandwidth to set and stick to a patching schedule, it’s important to seek out a partner who can help.
- Password policies – Common passwords, like those found on the list likely employed by Citrix’s password-spraying attackers, should never be allowed. Policies governing the complexity and lifespan of passwords may not be popular. However, pushing users to leverage stronger codes is an easy way to improve organizational security.
- Security culture – Congress publicly decried Equifax’s complacent cyber security culture. Inevitably, security culture starts at the top. Executive leaders should participate in the security process and, whenever possible, demonstrate public support for password policies, 2FA, etc.
Next Steps: Putting lessons learned from Citrix & Equifax into action
Want to learn more about how to keep your organization’s data out of the wrong hands and its name out of the (negative) headlines? Arraya Solutions Cyber Security team can help provide the vision as well as the hands-on expertise needed to do both. Strike up a conversation with them today by visiting https://www.arrayasolutions.com/contact-us/.
Also, you can leave us a comment on this or any of our blogs through social media. Arraya can be found on LinkedIn, Twitter, and Facebook. Remember to follow us to stay up to date on our industry insights and unique IT learning opportunities.