News of a Facebook breach, which some experts claim has been underplayed by mass media, continues to trend in social media throughout the information security community. A Jan. 14, 2021, tweet by Alon Gal, chief technology officer at Hudson Rock, initially disclosed that 533 million Facebook users’ phone numbers had been leaked to an online forum. The disclosure prompted an angry backlash from security cognoscenti.
Saryu Nayyar, chief executive officer at Gurucul, commented that the breach is a huge blow to Facebook and may lead to crippling fines for security and privacy violations. “11 million of the users whose data was exposed are in the UK,” she said. “Under GDPR penalties, Facebook faces a maximum fine of £17.5 million or up to 4 % of their total 2020 global turnover – whichever is higher. The UK fine alone could set Facebook back $3.4 billion.”
Nayyar further noted that over 32 million records belong to U.S. users, which may prompt the California Attorney General to seek civil penalties of $2,500 per violation of the CCPA (California Privacy Protection Agency). Facebook could be looking at additional fines in the billions, depending on how many of those users are in California, Nayyar stated.
“All in all, a very bad situation for Facebook and as usual, completely avoidable,” Nayyar said. “The data breach occurred because of a vulnerability that the company patched in 2019. Facebook obviously needs to improve the company’s maintenance processes to reduce risks from known vulnerabilities.”
It’s crying time (again)
Garret Grajek, chief executive officer at YouAttest, emphasized that global enterprises are not the only targets for hackers; small and midsize companies are also vulnerable. “What is easy to miss, when we see a breach of this magnitude, is that the hackers are NOT targeting the large brand names like Facebook,” he said. “There is no question that Advance Persistent Threat (APT) hacks are devised and targeted at the ‘brass ring’ enterprises like Facebook – but we have to remember that the hackers are running scans across all of our systems.”
Grajek urged IT managers to deploy solutions that identify and alert the enterprise to breaches. These solutions are crucial to meeting not only compliance, but to achieving enterprise security, he stated, adding that we must all be diligent in monitoring and implementing best practices.
“As the Cyber Kill Chain [makes clear], hackers will be executing reconnaissance on our systems and enumerating our assets,” Grajek said. “Once this occurs, the hacker will then penetrate our systems and attempt lateral movement and privilege escalation. It is in these steps where a comprehensive and updated identity governance practice can spot an attacker who is attempting to change account privileges to enable the compromised accounts to move around the enterprise, find crucial PII/PHI data, and then exfiltrate it.”
Lack of confidence
In December 2020, Insight Cloud and Data Center Transformation (IDG), a division of Insight Enterprises, surveyed more than 200 information security leaders, including CIOs, CTOs, CSOs and IT directors, who work at organizations with an average of 21,300 employees. Designed to measure confidence in security postures, Cybersecurity at a Crossroads: The Insight 2021 Report focused on “defining challenges of 2020: scaling distributed IT environments and transitioning to work-from-home models during the pandemic,” IDG representatives stated.
The IDG study found that 96 percent of respondents had invested in solutions in 2020 to harden remote workplace security. Despite copious investments, 78 percent of information security leaders revealed that they lack confidence in their organizations’ security postures, and 91 percent plan to increase cybersecurity budgets in 2021.
“Rapid cloud adoption and distributed IT environments brought new considerations and challenges to organizations’ security efforts,” IDG researchers wrote. “Whereas before, IT leaders may have felt more confident with on-premises security strategies and clearly defined perimeters, the extended perimeters of distributed IT environments and work-from-home scenarios introduced several new layers of complexity.”
IDG survey respondents also conceded that they had to move quickly in 2020 to protect and secure remote workplace environments, which created new risks that had to be rapidly mitigated. Lack of automation, the number one challenge cited, required respondents to manually assess and respond to a flood of notifications and events. This and other challenges led a majority of executives to put new plans in place to improve infrastructure, including companywide business continuity plans and more robust decisioning and fraud mitigation tools, IDG researchers noted.
External Link: Infosec Leaders Decry Facebook Breach