The most notable observation from the breach is not how the data was exfiltrated or the control failures but the fact that it took Medibank a significant time to understand what data had been exfiltrated.
Medibank for a long period after the breach was detected had no clue as to what had been taken or the source it had been taken from. Initial investigations and announcements from claimed there was minimal if any data taken as part of the breach. The hacker later contacted Medibank and published a sample data set contradicting the initial claim from Medibank. Medibank was still unsure of the extent of the leak, and it took some time for the admission that it was a large-scale data breach.
Organisations are very good at collecting data and data is often collected “just in case” it is needed later for the next project or new business requirement creating data sprawl.
Security programs and roadmaps are often built around the technical controls to protect the organisation from attacks and data is often overlooked at part of the program. Data governance and a data centric approach to security should be considered. The following items at a minimum be understood by all business:
- Data locations – the old security adage of “if you don’t know what you have, you can’t protect it” rings true. Often, we protect core systems that contain our critical data but do not consider the supporting systems that contain copies of the data. These systems often hold large subsets of the data and provide an easier target for data exfiltration.
- Data ownership – Establishing data ownership ensures accountability for data and how it is used within the organisation. Processes should support this ownership and decision making around the data locations and
- Data classification – A data classification program should be established, and security controls need to support the protection of data according to its value to the organisation.
- Data architecture –Data is often kept for various reasons outside of primary data stores. Data architecture should dictate where and how data must be stored and storage locations should be kept at a minimum. Organisations often keeps data in many disparate locations for various reasons without considering the impact or controls required around the data.
- Production data used for testing purposes – production data is often used in test environments as test data is often not sufficient or rich enough to perform sufficient testing. Test environments more often than not do not have the same access controls, monitoring and change control as production environments. This allows for an easy place to exfiltrate data from. If production data is required for testing purposes the environments should at least have equivalent controls in place as the production environment. Obfuscation of data should also be looked at as a control to mitigate the data risk.
OpenSSL provide TLS and SSL protocols for secure communications between systems. OpenSSL is an open-source project and is widely used in a variety of operating systems, applications and devices.
OpenSSL released bug fixes for two vulnerabilities that can result in denial of service (DOS) and remote execution attacks. The vulnerabilities have been assigned CVE-2022-3786 and CVE-2022-3602. The vulnerable versions are limited to versions 3.0.0 – 3.0.6 limiting the impact of the vulnerabilities significantly. There has been a lot of hype around the vulnerabilities, but they are both difficult to exploit as they rely on very specific conditions.