Rules Navigator

Cybersecurity lessons from the debacle at Drizly

Photo: Getty Images

Thomas Hyrkiel

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

A good security program includes not only good policies, systems and procedures, but also lots of training and testing.

The FTC has finalized its order against the online alcohol marketplace Drizly and its CEO in connection with the exfiltration of personal information of 2.5 million customers. Let’s quickly recap the events that led to this data breach.

In April 2018 a company executive was provided access to the company’s GitHub so that he could take part in a one-day hackathon. The executive used a simple alphanumeric password, one that he had used elsewhere, to access this. His access rights to GitHub were not revoked even though they were only needed in connection with the hackathon.

The reused password was compromised elsewhere and was employed by a malicious actor to access the company’s GitHub two years later. This would have been bad enough as the source code could now be scrutinized for vulnerabilities. Unfortunately the company’s Amazon Web Services (AWS) and other database credentials were also stored here. So the intruder was able to access the cloud service and modify its security settings, opening the path for customer data to be extracted.

Inadequate focus on cybersecurity

What happened at Drizly is an ideal example of how an inadequate focus on cybersecurity can lead to disaster. As we reported in October, the order imposes strict requirements around the capture and storage of data and also requires the company to implement a comprehensive security program and safeguards. The detailed descriptions of the security failings at Drizly mean that the order provides a really good indication of what such a cybersecurity programme and safeguards might actually involve.

Policies

No effective cybersecurity is possible without some policies documenting what procedures and practices should be followed in order to keep the organization safe. Such policies must be updated on a regular basis to take into account developing best practice as well as new and emerging threats. One way of starting to shape cybersecurity policies that are fit for purpose and effective within the specific organizational context is to start with the creation of the organization’s threat profile. The threat profile will be shaped by the specifics of the organization’s operations (eg what data is held; how sensitive that data is; etc.) and will help identify the way in which existing and emerging risks might be mitigated.

When it comes to cybersecurity policies the engagement of all layers of the organization is critical. Buy-in from management and the board is essential as is the need for the function to have a strong voice at the senior leadership level. One way of reframing the discussion in order to help raise the profile of cybersecurity is to treat it and its associated threats as simply another business risk. Successfully addressing that risk then becomes another way of making the organization more resilient and more likely not only to survive, but also to thrive in a heightened-threat-level environment.  

Training program

Creating cybersecurity policies is just a start. Policies are completely pointless if the company’s employees cannot access them and the same is true of procedures if employees do not follow them. A cybersecurity training program for new and existing employees is critical.

Senior employees must participate in cybersecurity training because they have heightened risk profiles.

Such a program should not be something perfunctory and should be repeated on a regular basis, with concrete consequences for any employee who chooses not to participate. And this includes people in senior positions as well. Senior employees are usually accorded extensive access rights to internal systems and sensitive data, but tend to have a limited awareness of their heightened risk profiles. An organization is much safer when security becomes the business of all of its employees.

Access controls

Access to sensitive systems should be provided on a need-to-have basis and should also be coupled with a robust permissions regime that limits what certain users / user functions can do.

Complex password requirements coupled with multifactor authentication and a robust single sign-on regime are the bare minimum when it comes to access controls. Access to sensitive systems should be provided on a need-to-have basis and should also be coupled with a robust permissions regime that limits what certain users / user functions can do. Access rights and permissions should be reviewed on regular basis and amended to take into account employees leaving the organization or changing roles within it.

Clear system ownership is of critical importance because it empowers those actually tasked with administering the systems to act and encourages accountability. In many cases access rights and permissions are initially well-defined, only to deteriorate very quickly because it is not clear whose responsibility it is to remove users and amend permissions.

Monitoring

Systems that can monitor system activity, help identify potential threats and alert cybersecurity staff of these in a timely and effective fashion can help protect the organization even where system security may already have already been compromised. An alarm raised sufficiently early can help limit the potential damage caused by a successful attack and, most importantly, prevent contagion. Any penetration of a sensitive system by a malicious actor is a problem. But the longer a system remains compromised the higher the chance that the attacker will find a way of maximising harm.

An effective alert mechanism can help prevent system contagion following a successful attack.

Once a system has been successfully penetrated attackers can lurk there for some time before acting. Even if systems audits do not uncover the fact that a system has been compromised, an effective alert mechanism can help prevent harm, particularly if, for example, an attempt to access a part of the system or download a type of data leads to an internal trip wire triggering an alarm and blocking access. More sophisticated systems will have capabilities for recognising unusual system activity or user behaviour, but these require a high level of sophistication on the part of the cybersecurity team because it takes a significant amount of time and effort to calibrate them.  

Testing

As in software development nothing gets overlooked or de-scoped more frequently than testing. But testing its security, whether by way of vulnerability scanning, penetration testing, or even war gaming specific scenarios, is the most important thing that a company can do in order to ensure the security of its systems and data.

Testing can reveal gaps, omissions and problems. Identification of issues is the first step in addressing them and also ensures that the organization has a better understandings of its capabilities as well as vulnerabilities. But another positive result of continuous testing is the experience that internal teams accrue. Being aware of system or procedural weak points and understanding how a security event might unfold helps teams react more quickly and effectively. Continuous testing leads to higher levels of employee preparedness and engagement by bringing to life the things addressed by security training.

,

You may also like