Breaches showing patterns of both desirable, questionable characteristics
The good and the bad of this week's Dropbox breach announcement is a microcosm of the patchwork of improvements and the continuing weaknesses in access control and account security that currently defines enterprise and service provider networks.
There are a number of themes repeating themselves. Authentication has a number of new options for better security from biometrics to hardware tokens but they are showing spotty adoption by services and end-users, authentication system upgrades are desired but don't happen overnight, breach reporting is getting less reliable which brings its own set of concerns, and end-users remain the most challenging variable.
In the Dropbox example, a password stolen from an employee led to a file with email addresses and eventually to 68 million missing records. Credential theft is a common attack vector. This year's annual Verizon Data Breach Investigations Report showed 63 percent of all breaches included the use of stolen credentials, up from 51 percent in last year's report. End-users need better understanding of the value, and vulnerability, inherent in their personal information and in company data.
Technology is improving, but it is not entering into a greenfield. Most new authentication technology is integrated with current identity and access management deployments, and more often than not, working alongside aging technology. These upgrades take time and effort that many overworked IT departments may be lacking even though they understand the benefits.
Dropbox had hashed and salted passwords stolen in this hack, but it was clear the company was in a transition from older SHA1 hashes to bcrypt hashes. On the user side, the company implemented and offered two-factor authentication options including one-time passwords and support for the FIDO Alliance's Universal 2nd Factor strong authentication, according to the company blog.
Such upgrades in access control can help lessen IT concerns. The 2015 Black Hat Attendee Survey showed that the greatest concerns among attendees were sophisticated attacks targeted at their organizations (57 percent); and phishing, social network exploits or other forms of social engineering (46 percent).
But on the downside, the data that was exposed this week was stolen years ago, which is an emerging and troubling trend. Information dumped earlier this year in the MySpace, Tumblr and LinkedIn episodes also was stolen years before it was exposed.
This sort of hidden breach is an emerging enemy. While hackers are known for their stealth skills, there are other concerns. Symantec's 2016 Internet Security Threat Report noted that breached companies aren't always reporting accurately. "Transparency is critical to security. By hiding the full impact of an attack, it becomes more difficult to assess the risk and improve your security posture to prevent future attacks," Kevin Haley, director of Symantec Security Response, said in a release accompanying the report's findings.
Perhaps these patterns can help enterprises focus their efforts to improve security and access controls. Dropbox became the next victim, but it won't be the last. There is still a lot of work to do before the breach epidemic shows signs of receding from its current high water marks.