$2k to avoid being another Optus
by Security Centric, on 30/09/2022 11:27:32 AM
The Optus PII breach has been the subject of many conversations the past week or so - at the technical level all the way through to advising boards on what is relevant to their organisation vs what is jumping on the topical news bandwagon.
A common thread has been repeated so many times that I thought I would share the insights. Based on knowledge to hand, reading between the carefully curated PR speak, is the breach could have been prevented for under a couple of thousand per month. Let me explain.
- A service needed to be published to the internet for a specific external organisation
- Human error meant the service was exposed to the entire internet, rather than the specific organisation
- As malicious parties like to do, they constantly scan the internet for low hanging fruit, and found Optus' development service
There's more to be said of course, like why was production data in a development system, and how did a national telco with a cyber security practice ignore so many basic principles, but that will come out in due course.
What is most relevant to the mid market, is this could have been prevented with a basic service that costs (at least at SC) under 2k per month.
What we're talking about is a fairly standard perimeter vulnerability scanning service, linked up with customer change control and our 24x7 SOC. Here's how it works:
- We obtain an inventory of any internet-connected technology - be it firewalls, AWS elastic IPs, owned public address ranges, etc
- We baseline the current approved state of internet-published services
- If a new service is being published, the SC SOC is informed as part of the change management process (you do have change management right?)
- If a new service is published that may affect security posture, like the Optus API, the SOC responds to that like any other incident
- The human error is corrected and the API is limited to only the originally-intended specific organisation
- The internet-scanning malicious party finds nothing and keeps on walking scanning
We've seen similar user error with remote desktop being temporarily published to assist vendors with troubleshooting, and forgetting to remove the rule.
The fundamental driver is human error. Humans are great at many things, but relying on being careful is not a sufficient control. This is why it is someone's job at the end of a surgery to count the instruments, even though a very skilled and highly paid professional has perfomed surgery and was careful. Another example is in aircraft, where big red tags are used so it's obvious from hundreds of metres away that you've forgotten something. Optus could easily have had a red tag pop up as soon as the API was published, rather than when an opportunistic threat actor discovered it.
Take away:
Human error is going to happen - spend a trivial amount to make sure you don't leave an instrument in the patient.
Reach out if you would like to find out more: