Always Assume You’re Compromised and Other Lessons from India’s Creditseva Data Breach

This week, a credit service in India called Creditseva suffered a data breach which exposed details of some 48,000 citizens – including driver’s licenses, home addresses and credit reports. The company was notified by Kromtech security researchers of the breach when they noticed the information on an insecure Amazon S3 bucket.

Why are banks being targeted?

Willie Sutton, infamous U.S. bank robber was once asked, “Why do you rob banks?” His response: “Because that’s where the money is.” Though this may seem banal and obvious, it gets right to the point. Banks not only have trillions in standard currency, but oceans of personal information.  Financial markets are like oxygen. Their adequate provision is required for the whole system to work. This leads billions of people and millions of companies to use financial services (banks) – that’s a stupefying amount of personal information.

If you are a cybercriminal, you dramatically increase your return on investment when you target organizations with the deepest cistern of personal data. The attack may be unsuccessful, but the payoff is so alluring that attackers will continue to put financial services at the top of any list.

How can companies mitigate against such attacks?

What happened to Creditseva is yet another instance of an unforeseen, unknown threat leading to a catastrophic breach.  Not only is Creditseva’s reputation (and corporate viability) at stake, but 48,000 regular people will be anxiously monitoring their personal information against identity fraud – for years to come.

Thieves will often auction illegally obtained personal information on the Dark Web. And buyers could do anything with this information, including a hold strategy to use when the timing is most advantageous.

What can companies do? First, let us see how the breach was first discovered. Krometech, who specializes in hunting for threats, was the first to notify Creditseva of the breach. Did you see that?  Krometech was “hunting.”

Threat hunting is the iterative process of searching through network and security data to discover threats that evade traditional defenses. Now, Krometech’s hunt was more akin to discovering there is a moon in the night sky, but the principle is universal: Threat hunting is the surest way to find threats in an ever-evolving world. But to begin threat hunting, organizations must adopt a new paradigm: the assumption of compromise.

It does not require a super-elite cybersecurity specialist, only an open mind and frictionless access to data for discovering threats.

Second, let us look at ways to secure cloud infrastructure. Often, cloud environments come with security settings that are elementary and easily changed (e.g. pubic/private).

In the case of Creditseva’s AWS S3 (Simple Storage Service), settings allowed public access, leaving it open to anyone accessing Creditseva’s customer data. To get a sense of how open this “public” setting is…anyone can, almost, effortlessly go to Creditseva’s AWS S3 bucket from a personal browser – like hitting your favorite news site or cooking blog.

Organizations can offset these risks by implementing a Cloud Infrastructure Security Broker (CISB) thereby giving themselves a governance layer and policy mechanism for operating their cloud assets.

When cloud infrastructure is deployed, it is often to satisfy a pressing concern (e.g. application development, on-demand storage, etc). Having a CISB gives organizations security policy that will govern current and future cloud systems, without needing to manipulate each new instance. With this, companies have security that conforms to policy, regulations and governance with the agility necessary to satisfy the business demand.