Cybercriminals have a parasitic side, and it's not to be underestimated. If they can't bust through the network perimeter of an enterprise, they're just as likely to go through the front door aboard an unwitting and trusted customer or business partner.
Enterprises like research information provider LexisNexis, for example, spend countless hours and resources on resolving malware issues, shoring up intrusion defenses and architecting security into the network. But admittedly, LexisNexis had done little to ensure that customer and partner environments with access to LexisNexis databases were secure.
This was the avenue by which hackers last year stole more than 300,000 accounts with names, addresses, and Social Security and driver's license numbers. Granted it took a conflagration of events for criminals to land on LexisNexis' virtual doorstep, but hundreds of thousands were still open to identity theft and LexisNexis' reputation was in jeopardy.
"We were security conscious and aware, but [only] from an internal standpoint of 'What can I do to ensure I don't bring bad software into the company?'" says Leo Cronin, senior director of information security. "We developed a couple of scenarios to deal with autoscript attacks of our apps and denial-of-service attacks, but those focused on our four walls versus us having to worry about the customer. This woke us up--we truly have to be worried about that environment."
The theft at LexisNexis began far away from its walls. A worm bearing a keylogging Trojan was spammed to thousands, promising pornographic images. The Washington Post reported that separate law enforcement offices in Florida and Texas took the bait of the social engineering component of the worm. Law enforcement--and government--makes up a big chunk of LexisNexis' 4.5 million customers.
Soon, the LexisNexis user names and passwords at these two unrelated offices were compromised and criminals had access to a legitimate account and a trove of personally identifiable information. The 300,000 accounts were harvested during 59 separate visits to a database managed by Seisint, a 2004 LexisNexis acquisition. They went unnoticed until one of the agencies reported unusual activity on its bill.
The timing couldn't have been worse. LexisNexis reported the incident in compliance with California's SB 1386 less than two months after the avalanche of 2005 data breaches started with the ChoicePoint identity theft. Senior management decided not to wait for legislators to recommend action, nor wait to notify those potentially affected. Marching orders from Day 1 were to be transparent about what was being done; president and CEO Kurt Sanford testified before the Senate Committee on the Judiciary and explained the breach for legislators.
The first steps toward recovery included a comprehensive review of perimeter defenses, especially at the Seisint subsidiary, as well as a search for anomalies in how customers accessed services. Cronin and his teams quickly realized that more had to be done to batten down customer access. No longer were customer environments inherently trusted.
"No matter what our controls were on our perimeter, [hackers] figured out how to attack our customers directly," Cronin said. "Our password controls and auditing controls needed a facelift. We kicked off a team with a set of requirements and a plan to put new features in place by the end of 2005. It was quite a task. Support from management got it prioritized."
New password protocols were implemented for all customers. Password strength was mandated and inactive accounts were suspended after 90 days. A fixed number of failed logins also resulted in account suspension. Cronin said more than 1 million accounts were strengthened in 2005.
In the future, Cronin wants to get customers closer to two-factor authentication, and cannot dismiss using some kind of federated token for single sign-on to banks and LexisNexis, or even a hard token as a second form of authentication. Some customers with access to sensitive data are subject to IP address restrictions, similar to what some banks have implemented. A profile would track a user's frequently used IP address and limit logins from only those locations. Hard tokens, for example, would then be required for logins away from those locations, like a home computer.
Cronin said LexisNexis is also implementing near real-time anomaly detection systems that score a user's behavior and restrict access if that score is at a level of fraud. Accounts would be shut down and users notified. Also, customers using a LexisNexis desktop interface would not receive the same level of access to data as those logging in fresh from a Web interface.
Policies around education and awareness training were beefed up for employees. A video for new hires, for example, reinforces the sensitive nature of the data LexisNexis stores and employees' responsibilities.
With more than 140 data breaches reported in 2005 and more than 50 million Americans exposed to identity theft, Cronin says enterprises cannot afford to be lax.
"Information security professionals have to do a better job of articulating the security we want in our products and services, and be articulators of the business value of security," Cronin says. "You'd better model those risks and make them understood as business risks."
This article originally appears in the April 2006 issue of Information Security magazine. Be sure to vote in this month's SearchSecurity.com quick poll for your favorite Security All-Star Survivor.