Last Sunday and ironically after a couple of weeks later from Black Hat conference, MGM where this conference held, faced a cyber security attack. After this attack company market cap decreased nearly 1 B USD and since they chose to shut all systems down including web sites and slot machines lost tens of millions revenue in 5 days. Apart from that they needed to pay a ransom which is estimated to be around 100 million USD because in a similar case this late summer Ceasers Palace Entertainment paid 30 million USD as ransom.
The attack is said to be a social engineering kind vishing attack. The attacker pretented to be a person working in MGM, called the help desk and made help desk reset the password belonging to that person. And afterwards using the credentials penetrated to the system and enrcrypted or stole critical data and informed the related people about what he did or had.
It was that much easy. Are you prepared for this kind of attack? Or in case of this kind of breach you also prefer to shut all systems down like MGM did?
There are plenty of things to do not to face this kind of breach and I am sure most of them are already in place in MGM. Then, what is missing? First, there seems to be an authorization process and it is manual, meaning a person has the right to give or reset a password for an employee. A person can easily be deceived with social engineering tactics. If there is an authorization process in your infrastructure which is not automated already you should be more awake or have a plan to automate it. You can not trust people or system, trust and security does not coexist. If we talk about security there should be zero trust. You should have segmentation, indeed micro-segmentation in place to protect your workloads. Apart from this minimum rights principle is quite important and must be implemented for any enterprise, for example there should be no permissive or unused rules on your firewalls or only needed admin rights be used for all kind of IT accounts.
Cyber security has always been an issue in IT spending budgets and generally it is tried to cut down, however if you face this kind of attack you may lose your following tens of years’ security budget in one case like MGM. It may be too late to take action afterwards.