Digital technology has facilitated many advances in life, most of which are inclined to information dispensation. This dispensation also has increased the levels of data breaches throughout the world as experienced this year where multiple voter registration data has been exposed. Some of the countries affected have been Mexico, the state of Georgia and the Philippines. However, these events are minor exposures as compared to the American attack that occurred in June. In the attack over 198 million voter records were exposed to the public, a significant number that dated back to records from ten years ago (Newman, 2017).
Discovered by researcher Chris Vickery, the data breach exposed over 1.1 terabytes of data, holding sensitive information such as personal information and addresses. The data exposed had been previously compiled by a data analytics company called Deep Root. Deep root had been given the task to analyse voter registration details which gave them access to the names and addresses of the potential voters. Furthermore, the leaked information also gave a detailed account on how the voters felt on a wide range of issues, stemming from political climate to gun control (Bennett, 2012). Through the discovery made by the researcher, Vickery ultimately outlined the poor structures used by organizations to protect the information they hold.
This conclusion is based on the method used to attack the company’s systems which as outlined in the next section was caused by negligence and not by any sophisticated hacking tool. Moreover, the breach illustrated the amount of information entrusted to conservative groups who were lucky that the data was not used to conduct illicit operations more so, after a general election had been conducted. In addition to this, the data breach heightened the questions over the collaboration between the United States government and the Russian government (Uchill, 2017).
How and why the attack occurred
First, the data breach was not as a result of a complex or sophisticated attack, instead the responsible organization left the databases holding the data exposed to public by disabling their security protocols online. Therefore, when visited, the organization’s systems were free to be accessed without any form of control be it encryption of content or authorization requests e.g. passwords. Furthermore, the data was verified and identified as the data owned by the Republican National Committee (RNC). Therefore, the exposure was not a test or hoax conducted online but a legitimate failure in cyber security systems.
The RNC had contracted the data company who had subsequently leased the Amazon S3 servers to store the information. Now, the contracted company had also leased multiple database sections which at the time of the exposure had amounted to over 25 terabytes of information. All this content used the same cloud facilities which highlights the negligent actions taken by the company as they failed to protect some of the database servers. Furthermore, the depth of the intrusion was deeply rooted within the disc space of the cloud facility an outcome that determined the extensive scope of the exposed content. Therefore, the exposure did not affect minor files containing trivial details but in-depth analysis functions, a result highlighted by some of the files, which had modelled data (Whittaker, 2017).
So why did the breach occur? Well, according to data experts, misconfigured online services are a common occurrence which facilitates many exposure instances but is rarely discovered as they hold trivial or worthless information. Furthermore, the misconfiguration of online systems is further intensified by cloud services and other online database systems as they require extensive security procedures which are ignored by the leasing organizations. Therefore, the events experienced were not alien to cyber attacks but were intensified by the nature of the data which possessed extensive records meant for the private eye ()
Regardless of the cause of the exposure (why the servers were unsecured), the outcome of the data breach highlights the negligence of the company at hand. Deep Root failed to implement the security procedures employed when dealing with database systems, in fact, their failure was so profound that anyone could access the content so long as they visited the website. Therefore, simple access control and authentication procedures were not implemented. Nevertheless, as a solution, the company should assess its entire security policy by conducting a new and thorough risk assessment. Through this assessment, the threats facing the organization and its system would be evaluated. In this case, the evaluation would highlight the possible loop hole and vulnerabilities that could be used to conduct attacks. Furthermore, it would establish the extent in which the existing security policy is being implemented/enforced (Booth, A, & Somayaji, 2013).
Secondly, the organization should implement technical security solutions to their existing online systems. In this case, encryption would be the first mitigation solution to the problem as it facilitates the confidentiality of information, by transmitting data in secure forms. Therefore, the analytics conducted by the RNC would in the future be sent using encrypted channels. In addition to this, lock down procedures should be implemented on all user endpoints i.e. computers, websites and any other access platforms. Now, in the breach, the internet was the end point used to access the information, therefore, access control procedures that limits authentication and authorization would be used. For one, the data company can develop specific access portals for RNC users, who when authorised are able to access the content. Finally, a comprehensive information management plan should be used to allocate access rights based on their clearance level. This plan would mitigate data exposure by isolating data blocks (Bennett, 2012).
A recent attack on computer systems shocks the world as it infiltrated multiple networks across the globe. The attack was facilitated by a new form of ransomware that exploited the vulnerabilities seen in Windows computer systems. Ransomware are malware programs that hold computer systems under ransom while threating to expose or destroy data. In this case, the malware in question (WannaCry) used new attack procedures that beat all the existing security measures (Wong, 2017).
WannaCry worldwide infiltration started with a rouge cyber group known as The Shadow Brokers who at the start of the year released a network attack vector (vulnerability) known as EternalBlue. This group acquired the vulnerability from the United State government who through their security agency (NSA) had developed the component among other access vulnerability. The NSA has from time to time developed tools that may serve as cyber weapons, an outcome that was adequately verified by the extent of the attack. Now, this attack spread fast like quick fire affecting systems in Spain, China, Russia and United Kingdom among many other countries. In each of these countries, the malware perpetrated the same sinister actions by locking the machines it affected unless paid a ransom in full (News, 2017).
Those affected and how
At the beginning, the estimated number of attacks surpassed 40,000 systems across the world, affecting more than 100 countries. In some of these countries such as England, the malware infected medical systems which interrupted health facilities and the duties they conducted. These interruptions were so severe that some members of the public were casualties to the attack as they failed to access their vital medical records halting their procedures. The same problem was also experienced by the health workers and practitioners who were placed on immediate lockdown as their machines demanded a payment of $ 300 to restore operation normalcy.
In other countries, the attack crippled private companies affecting businesses and their financial performance. An example of this outcome was seen in Spain where its telecommunication and electrical industries were affected by the attacks propagated on Telefonica and Iberdrola companies (Islaim, 2017). In these companies, the attacks were so severe that the organizations were forced to switch off their systems in an attempt to mitigate the losses experienced. Similarly, Russia went through the same crisis as its networks were extensively infiltrated by the attack. However, the attack on the Russian systems was worrying as it affected many sectors of service delivery.
Method of attack
Most malware attacks will start by identifying vulnerabilities in systems before conducting their attacks. It is only after the identification of these vulnerabilities that the actual attacks are perpetrated based on a self-replicating procedure, which in the end increases their success rate. Similarly, WannaCry exploited a serious vulnerability in Windows systems that were later solved using systems update (patches). Nevertheless, the vulnerability used stemmed from the access protocols used to access networks, commonly known as server message blocks (SMB). Now, the SMB protocol resides within the application layer of the TCP/IP model and facilitates the sharing of files. The protocol conducts this functionality by allowing devices to read or write files from networks. Moreover, the same protocol allows computers to request resources and services across networks. Therefore, when the EternalBlue vulnerability was introduced it gave intruders complete access to the networks and computers using the said protocol (Emling, 2017).
In all a four step procedure was used to infect machines:
- The intruder using the SMB handshake activated the vulnerability in the machines having unprotected access ports.
- Next, an archived program holding the starter for the malware was transferred to the accessed machine. This program was encrypted to maintain the integrity of the malware.
- The third stage saw the malware program activated after being decrypted from the archive. Furthermore, after activation, the malware immediately started to scan for other connections within the host machine and only spread to the networks having unsecured access ports(Islaim, 2017).
- If successful in identifying the ports, the malware again utilised the EternalBlue vulnerability to deliver the starter program, commonly known as the payload. At this point, the infection procedure repeated itself and continued across all visible and unsecured network.
Preventing the attack
The most obvious solution to the problem would have been a patch for the vulnerability identified which based on the outcome of events was only developed after the damage had been done, therefore is an invalid option. However, in all the attacks conducted, unsecured ports were used to access the SMB vulnerability. Therefore, using basic network controls the malware could have been mitigated across the networks. For instance, the affected organization should have had firewalls to regulate the flow of traffic. This facility would have alerted the users of the intrusion. Moreover, access and port control procedures should have been used to block the unused network nodes/ports (EMC, 2016).
Nevertheless, the said attacks occurred in multiple organizations and countries which outlines the complexity of the attacks as most of the organizations had strict security guidelines. Therefore, a thorough risk assessment would have been the only solution because it would have outlined the new threat. It is therefore through a risk assessment that these organizations would have identified and implemented solutions for the SMB protocols, including alerting the product developer (Microsoft) (EMC, 2016).
Bennett, S. (2012). Data Security Breaches: Problems And Solutions. Retrieved 25 August, 2017, from: https://www.jonesday.com/files/Publication/2dbb7406-ba13-4305-902a-8f2c65ef3d49/Presentation/PublicationAttachment/301495c5-31c8-4881-8202-9dd8665df004/TPL0812-Bennett.pdf.
Booth, G., A, S., & Somayaji, A. (2013). Cloud Security: Attacks and Current Defenses. 8 ANNUAL SYMPOSIUM ON INFORMATION ASSURANCE, Retrieved 25 August, 2017, from: https://people.scs.carleton.ca/~soma/pubs/booth-asia2013.pdf.
EMC. (2016). Preventing a ransomware disastor. EMC, Retrieved 24 August, 2017, from: https://www.google.com/url?sa=t&rct=j&q=&edata-src=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwiwgdWRi_DVAhWIK8AKHdA9BKEQFggqMAA&url=https%3A%2F%2Fmozy.com%2Fsystem%2Fresource.
Emling, S. (2017). Ransomware Attack Wreaks Havoc Globally. AARP, Retrieved 24 August, 2017, from: https://www.aarp.org/money/scams-fraud/info-2017/how-to-protect-against-ransomware-fd.html.
Islaim, A. O. (2017). SMB Exploited: WannaCry Use of "EternalBlue". Fire eye, Retrieved 24 August, 2017, from: https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html.
Newman, L. (2017). The Scarily Common Screw-Up That Exposed 198 Million Voter Records. Wired, Retrieved 25 August, 2017, from: https://www.wired.com/story/voter-records-exposed-database/.
News, B. (2017). Massive ransomware infection hits computers in 99 countries. Technology, REtrieved 24 August, 2017, from: https://www.bbc.com/news/technology-39901382.
Uchill, J. (2017). Data on 198M voters exposed by GOP contractor. The hill, Retrieved 25 August, 2017, from: https://thehill.com/policy/cybersecurity/338383-data-on-198-million-us-voters-left-exposed-to-the-internet-by-rnc-data.
Whittaker, Z. (2017). 198 million Americans hit by 'largest ever' voter records leak. ZDNet, Retrieved 25 August, 2017, from: https://www.zdnet.com/article/security-lapse-exposes-198-million-united-states-voter-records/.
Wong, J. &. (2017). Massive ransomware cyber-attack hits nearly 100 countries around the world . Cybercrime, Retrieved 24 August, 2017, from: https://www.theguardian.com/technology/2017/may/12/global-cyber-attack-ransomware-nsa-uk-nhs