Tag Archives: Office

SearchSecurity: Multifactor authentication key to cloud security success

12 July 2014

Multifactor authentication key to cloud security success

In this great post Brandon Blevins provides a brief summary about the Code Spaces attack, the progression of the attack and the catastrophic consequences for the company and the customers. Moreover, he makes clear that Multi Factor Authentication is an essential requirement for running a successful business in the cloud. With Two- or Multi Factor Authentication in place this attack would not have been possible.

The attack pattern in the Code Spaces case differs only slightly from the patterns in the eBay, Target, and Office attacks. In all cases the attackers used stolen credentials of employees for unauthorized access to the company network and the data.

One Euro Cent Coin

From my point of view, Two or Multi Factor Authentication (MFA) would have prevented most of the published data breaches, irrespective of whether the services are hosted on premise or in the cloud.

Multi Factor Authentication is worth every Cent!

The main difference between the attacks exists in the amount of the damage, in the eBay case data theft and loss of reputation, irreversible destruction and discontinuation of Business in the Code Spaces case.

But a third, more important type of damage must be considered:

Integrity loss, caused by tampering of data.

Small changes to software products, to the formulation of drugs, or a bill of material could lead in the worst case to a catastrophic impact on people, businesses and the environment.

How often does this happen, without you ever noticing?  At this very moment? And, are you able to recognize such integrity losses to prevent larger damage?

We should ask ourselves these worrying questions. The statement “I always call it the Wal-Mart-Target competition … to see who can get to the lowest price and still provide good service. Security is what gets lost” gains a new meaning from the integrity point of view.

I would strongly recommend, that all businesses, in particular in the manufacturing industries and in the pharma sector, should decide about implementing MFA to prevent damage caused by integrity loss.

That will make our world a somewhat safer place.

Advertisements

UK shoe retailer Office hit by data breach – Will secure passwords make a difference?

19 June 2014

It’s always the same old tune. Immediately after the UK shoe retailer Office announced a data breach on 29 May 2014 the debate on passwords starts again.

In my opinion a statement like ‘…demonstrates just how insecure passwords are’ makes no sense in this case.

It’s far more interesting to know, how the incident could have happen. The information from the Office homepage [4] gives us some hints:

(1) ‘Unfortunately we have been the subject of a security breach resulting in unauthorised access to some Office.co.uk accounts’

(2) ‘Only accounts created prior to August 2013 have been affected, but the information does include name, address, phone number, email address and the password to your OFFICE account.’

(3) ‘Yes – the OFFICE website is safe and secure. The server that was compromised was a server containing no live data and has been isolated.’

From (2) and (3) it is highly probable that in August 2013 Office IT staff created a copy of the customer database on a system that was not connected to the internet. This copy was obviously not sufficiently protected. According to (1) it is very likely that attackers compromised employee login credentials and got unauthorized access to the Office company network.

This is nearly the same attack pattern as in the eBay case some weeks ago. And, just as in the case of eBay, hashing of passwords or encrypting the entire customer database would not have prevented the data breach.

It is the combination of People, Processes and Technology, that makes the world a much safer place. Just some hints…

People

  • Customers: Use strong and site-specific passwords
  • Office employees: Run an awareness campaign with focus on identity theft and how to handle this efficiently

Processes

  • Change processes to protect servers, which store copies of customer data, in the same way as production servers

Technology

  • At least for access to systems storing customer data set up Two Factor Authentication / One-time-passwords