South Carolina Cyberattack Takeaways

In October, South Carolina announced that the state’s Department of Revenue (DOR) had suffered a data breach, which  exposed 3.8 million individual and 700,000 business tax records, 3.2 Million bank accounts plus a small number of credit cards.  South Carolina Governor Haley has given multiple updates on the unfolding of the investigation and has been quite transparent on some of the underlying issues. Last week she continued with this open approach to the issue and published the summarized version of the Incident Report by Mandiant, quite unusual as these documents are usually kept confidential.

The report is very clear on the circumstances of the data breach and describes a fairly standard attack starting with an e-mail, leading to workstation compromise, network access and ultimately server compromise. It should be high on your reading list if your are in IT or InfoSec as it is an rare opportunity to use publicly available information on an attack to do a sandbox exercise on how your organization would fare against a similar attack. Here is quick description:

1. A e-mail was sent to multiple users at the organization, and one of the users clicked on an embedded link.
2. The link led to malware, which installed on the computer. The malware allowed the attacker to capture the credentials of the user.
3. The attacker used the DOR’s remote access system to get to the user’s workstation, and then accessed another six servers, installing utilities to extract all locally available passwords. The attacker was able to extract the passwords for all Windows users.
4. Ultimately the attacker had access to more than 40 systems and extracted over 70 GB of data from the DOR.

What could have prevented the attack?

Gov. Haley pointed out 2-factor authentication and encryption of the confidential data as the best countermeasures for the attack, but missed the most fundamental flaw in the DOR’s infrastructure: Most likely the user’s workstation was running outdated software with known vulnerabilities, making it susceptible to attacks available in the common exploit kits available on the Internet. Updating the workstation software to the latest version and applying basic hardening guidelines would have prevented the installation of the malware and aborted the attack already at an early level.

I believe that we can drastically improve computer security by emphasizing fundamental System Administration techniques. CSIS has been working for the last couple of years on the consensus guidelines of the 20 Critical Security Controls and most recently there have been a number of public examples of how effective these measures can be. Two of the most inspiring examples are the US Department of State and the Australian Government’s Department of Tourism, which used basic IT system administration measures to strengthen their computer security.

Give the 20 Critical Security Controls at try. I believe you will find them intuitive and effective.