13 April 2015

Have you recognized the temporal connection between the detection of the eBay data breach and the starting time of the Premera attack? The eBay data breach was made public at 21 May 2014, the assumed starting time of the Premera attack is 5 May 2014. Sounds interesting, doesn’t it?

eBay detected the breach, which happened in February/March 2014, with a delay of two month in early May. It can be assumed that the data circulated in hacker communities for several weeks, before eBay reported the data breach and the attackers published an excerpt on pastebin.com.

And, since millions of data sets were stolen, it is very likely, that login data of Premera employees were amongst this data.

All of this wouldn’t be so bad, if employees would not use their company usernames and passwords for login to non-company services as well. Unfortunately this is a widespread bad habit. Therefore it’s very likely that the stolen login data included valid login credentials of Premera employees. With this credentials the attackers were able to login to the Premera network.

This sounds really strange, but it is a definitely realistic scenario. Weaknesses in the system configuration, e.g. the missing minimum password age, support the attackers in staying undetected.

With this we get the following plot:

Initial Attack Vector

Login to company network with stolen user credentials from other data breaches

Vulnerabilities used

• Missing password minimum age
• Misuse of company login credentials
• Missing Two Factor Authorization

Mitigation measures

• People & Processes, short-term

1. Enhance the security policy by rules to prevent misuse of company login data for non-company services
2. Run an awareness campaign and communicate the policy changes to all users

• People & Processes, mid-term

1. Restrict login times to prevent attackers from sign-in to the network outside an employee’s standard working hours
2. Enhance the security policy, define exceptions for handling of overtime and remote access to the company network from outside the standard working hours
3. Communicate the policy changes to all users

• Technology, short-term

1. Enforce strong password history and minimum password age

• Technology, mid-term

1. Implement measures to prevent users from sign-in to non-company owned services with  company owned login data, if technically possible.
2. Implement Two Factor Authentication for remote access to company services

That’s it for today. Take care!