Last week, South Carolina’s (SC) Governor presented the results of the investigation over the exposure of the personal data of nearly 4 million individual filers and 700,000 businesses in the SC Department of Revenue (DoR) data breach.
The investigation provided a detailed timeline of the breach and revealed that data protection in the DoR was lacking to the extent that the DoR had almost no visibility to the attack. The damning results have even led to the resignation of SC’s DoR director. Recently, the state made the technical report on the investigation publicly available. The availability of the report (PDF) gives the security community a unique glimpse into the nuts and bolts of compromised insider campaign and an opportunity to determine and develop effective countermeasures.
The Attack Time Line
On August 13th, 2012, a malicious email was sent to multiple DoR employees. At least one of them clicked on the embedded link, unwittingly executing a malware and became compromised. The malware stole the user’s username and password. Two weeks later, the attacker logged into the machine using a remote access service (Citrix) with the stolen credentials.
The attacker then began propagating into the network by installing some password grabbing utilities, later using the obtained passwords to connect to more servers and so forth. Throughout the propagation process, the attacker used some generic databases client software to search for interesting data. On September 12th, one month after the initial infection, the attacker found worthy loot in the form of DoR database backup. It took the attacker two days to copy the 74GB (!!) database, and send it the attacker servers via another server within the victim’s internal network. This was pretty much the last contact the attacker had with its target.
On October’s 10th, two months after the initial infection and one month after the attacker had finished its attack, the Secret Service had informed DoR of the breach. Needless to say, DoR “had no idea what had happened.”
Data Access Monitoring is the Key
There’s a striking contrast between the magnitude of SC DoR’s breach and their visibility. The physical equivalent of the incident would be for bank robbers to blast their way into the vault room, and then drag the vault around the bank for two days before running away with the plunder without anyone hearing or seeing them. In the physical world, it can only happen if all the security personal were deaf and blind.
The South Carolina Department of Revenue attack went unnoticed only because the DoR’s security team was not able to monitor and control data access across DoR’s internal network and servers, making them the cyber equivalent of deaf and blind to the attack. Their security budget and focus was probably totally invested in anti-virus technology intended to block the initial infection. When their first line of defense was breached, due to antivirus’ inherent limitations, they were left unaware and defenseless against the attack.
Investing in the right “ears and eyes” to monitor the access of servers, databases and files, would have made the detection of the attack an easy task, as the attack was very “noisy”. The attacker had accessed privileged data on an arbitrary time from an arbitrary process with read permissions, while usually the data get accessed only by the internal backup process, with the backup account privileges, on the regular backup times with write permissions. Additionally, the attacker had moved and processed the data few times before sending it out of the network, giving a lot of missed chances for the alarm system, which was not there, to set off the burglars’ alarm.
The Responsibility of Senior Management
It was that striking contrast between the size of the data stolen from SC DoR and the total lack of visibility they had to it, that had cost the Department of Revenue director his position. In the financial world, personal accountability is required under the Sarbanes-Oxley (SOX) Act which holds top level executives personally accountable for the accuracy of financial reports. The South Carolina incident should send a clear message to senior management on the digital front: data security is equally paramount.
ShareDEC
2012