Over the weekend, we saw many reports about the Evernote breach. This serves as a timely reminder about the risks to data – in this case 50 million users’ credentials. The good news is that it seems Evernote took the right steps to protect that data – using salted hashes. If this was performed correctly, then users should not be concerned about their passwords being compromised. Evernote took the right steps to reset everyone’s password too for good measure. The attack took place on Feb 28th, and they notified relatively quickly, a couple of days later – not bad really. So, best practices prevailed despite the attack.
What’s intriguing about this attack is how it actually happened and what the downstream side effects are – in cloud, an attack can topple many systems like dominoes. So, if Evernote was following best practices as it seems, how did the attackers get in? Very likely there was a Java or zero day exploit leading to system penetration. Maybe an insider opened a malicious email from spear phishing. We may never know, but once again it shows that what was once considered the impenetrable barrier, the enterprise perimeter, we really now have just a semi permeable membrane only as good as the weakest link. In a week of frenzied patches for Java, Windows, and a myriad of enterprise tools, weak links abound. So with attacks to data being relatively easy – especially if a new attack vector can be purchased from a malware cloud provider, the question then becomes how do cloud services and applications protect your assets – your sensitive data – sitting pretty behind that semi-permeable membrane we call the perimeter ? The only logical conclusion that has to be drawn is that something different needs to be done to protect sensitive data assets. These days, a breach has to be assumed to be an anticipated corporate event and the fallout needs to be mitigated when it happens – it’s practically unpreventable. As I’ve written many times, that boils down to requiring a different approach to protection - data-centric security.
However, the Evernote breach shows another side effect of breaches to cloud systems. In one press article I read there was one line which stated “Programs affected by the across-the-board update included Evernote, Skitch, Penultimate, Evernote Food, Evernote Hello, Evernote Web Clipper, Evernote Clearly, and Evernote Peek”.
That’s quite a lot of programs.
In this case, the convenience of single sign on to a range of applications to make it convenient for users also means an attacker can steal data from multiple systems in parallel – very conveniently.
Consider this – if this was an enterprise scenario where one cloud application compromise could lead to several others connected to it being accessed in this vein then the attack would spread like wildfire. What was previously a potentially limited, yet possibly quite impactful enterprise breach, could now be a major system-wide compromise with far more consequential outcomes – potentially huge and rapid theft of any unprotected data the attacker has access to.
I suspect that in 2013 we will see more breaches of this type – the more sinister “wildfire” cloud specific breaches. Cloud application adopters who have assumed that the cloud infrastructure or firewall is sufficient to protect data are likely in for a few surprises and may need to rethink their data security strategy very quickly. The good news however is that the risks can be mitigated – and easily. At the RSA show we demonstrated how IaaS, PaaS, SaaS data can be protected using standards-based, provable secure data-centric security methods which can literally snap into a cloud and enterprise ecosystems without friction. The best part is that the same solutions can also protect enterprise assets, any structured and unstructured data, in mission critical on-premise systems too: the mainframe, enterprise applications, databases and data warehouses. So by enabling a data-centric security strategy that can address the full spectrum of where data can go, including the cloud, organisations can take themselves off the radar of attackers looking for low hanging fruit – the weak links, and enable their business to embrace the full utility that cloud promises without increasing risk.
Some of the world’s largest financial firms including Global Investment Banks, Global Credit Card Processors or even cloud-based retailers are seeing huge return on investment – not just in the tools to protect data – but from the value in the information that’s now liberated to drive efficient and competitive business.
Until the next data breach emerges - maybe next week?