More than ghosts appear to be wreaking havoc on haunted networks. We’re halfway through October, and Cybersecurity Awareness Month isn’t quite shaping up the way we had hoped. Organizations ostensibly decided to pivot and use this time to confess their sins prior to Halloween. This year’s magical mystery machine includes FTK and volatility copies. Fred, Daphne, Velma, Shaggy, and Scooby-Doo are all certified private investigators who are ready to testify in court. Let’s go over what’s happened so far and the lessons we’ve learned so far.
When Was the Luckiest Breach Announcement… Ever?
You probably hadn’t heard of Syniverse before October 4th, despite the fact that it works with 95 percent of the world’s top 100 telecoms. If you found out about them on October 4th, it was first thing in the morning, and then… something else happened. Unfortunately, hackers are likely to have snatched up your texts, call records, and other personal information in yet another third-party telecom hack. What sets this breach apart — at least for the time being — is that the unauthorized access went unnoticed or unreported for five years, outlasting SolarWinds by a factor of ten. It also emphasizes the dangers of SMS and geolocation data, which could be used to spread misinformation and espionage.
Facebook went dark — literally — on the internet, effectively burying the Syniverse news beneath a mountain of speculation about the outage. In an ironic twist of fate, Facebook, once a social network and now a disinformation distribution platform, was dealing with the outage and a deluge of rumors about the cause at the same time. The theories ranged from an insider show of support for the whistleblower to the opposite, with the outage being used to divert attention away from the whistleblower’s testimony before the US Congress. The truth is less exciting but far more practical: Communication between data centers was disrupted due to a faulty configuration change. While the Facebook data centers were unable to communicate, few people attempted to communicate about Syniverse at all. Syniverse, according to its website, “processes 740 billion texts annually and has over 300-plus direct connections to mobile operators.”
This data breach isn’t limited to a single customer’s text messages or records. Twilio is a minority shareholder in Syniverse and is mentioned as one of the company’s top revenue contributors, second only to AT&T. Given Twilio’s reach into the developer world, this breach is relevant from both a B2C and B2B perspective.
As per Sen. Ron told Motherboard of the breach’s long-term consequences, the information flowing through Syniverse’s systems is espionage gold. Expect years of security and privacy incidents to be traced back to this one.
Attackers Expose Twitch’s Failures to Livestreamers
Twitch, the most popular live streaming platform for content creators, suffered a massive data leak, which is certainly bad for users but possibly even worse for the platform itself. This one is about security issues with partners, platforms, and products. And, perhaps worst of all, it sheds light on the gender and racial pay disparities that exist among content creators. Twitch, sponsors, and streamers have all agreed on payout rates, which are now publicly available and exposed. There’s no doubt that Twitch, which is already competing with YouTube for streamers, will see a talent exodus as unjust treatment is confirmed. Twitch acts as a bridge between content creators, sponsors, advertisers, and viewers, allowing for the facilitation and monetization of parasocial relationships. That ecosystem necessitates trust, which is jeopardized by data breaches and the disclosure of sensitive intellectual property.
Breach occur at the most inconvenient times, and Twitch already had serious problems with content creators being harassed by viewers and other streamers on occasion. Twitch is plagued by hot tub streams, hate raids, swatting, racism, and sexism. Given the other issues, a data breach isn’t the most serious issue the company faces, but it’s not making things any easier.
You Are Compelled To Respond To Incidents Because Of Their Power
Given the ratio of breach announcements to days in October we’ve seen so far, the “X” in XDR (extended detection and response) might stand for eXorcism by Halloween. When you factor in the number and severity of breaches reported in 2021, you’ve got yourself a pea soup situation. Despite this, only 12% of respondents in the Forrester Analytics Business Technographics® Security Survey, 2021, rank breach and attack simulation as a top information/IT security priority for the next 12 months.
Scooby and the gang should not be sitting around eating snacks right now! To keep up with attackers and their tactics, companies should revisit, revise, and practice incident response and crisis management plans at least biannually, if not quarterly. A ransomware attack should be included in at least one of the breach simulations, and all exercises should include data exfiltration. Those concerned about data from Twitch should consider conducting a crisis management drill.
Trust is at stake for customers, platforms, and partners. Don’t wait until the incident is underway to put together your crisis management ecosystem of critical third parties like legal, digital forensics and incident response, and public relations to ensure smooth notifications, handoffs, and all communication, and think about media training for key executives who will be seen as the face of any crisis affecting your company.
To The Rescue With Zero Trust
From a technical standpoint, the old approach to security architecture is well known to be a failure (see the examples above if you don’t believe me). Without shifting your strategy to account for the business realities of interconnected relationships between platforms, partners, and customers, security, risk, and privacy leaders will be completely left behind, necessitating a move to Zero Trust architectures.
Customers and business partners expect dependability and assurance that you’re safeguarding the ecosystem as a whole by refusing to place implicit trust in any user, device, or system. You and your ecosystem can be both resilient and protected with Zero Trust. Organizations don’t want another mystery on their hands, and isn’t it more fun to be the nosy kids and dog who caught the bad guys red-handed?