Understanding Access Control Attacks
637
Identifying Assets
Asset valuation
refers to identifying the actual value of assets with the goal of prioritizing
them. Risk management focuses on assets with the highest value and identifi es controls to
mitigate risks to these assets.
The value of an asset is more than just the purchase price. For example, consider a web
server hosting an ecommerce site that is generating $10,000 a day in sales. It is much more
valuable than just the cost of the hardware and software. If this
server fails causing the
ecommerce site to become unavailable, it would result in the loss of revenue from direct
sales and the loss of customer goodwill.
Customer goodwill is one of many intangible aspects that represent the
actual value of an asset.
Knowing the asset value also helps with cost-benefi t analysis, which seeks to determine
the cost-effectiveness of different types of security controls. For example, if an asset is
valued at hundreds
of thousands of dollars, an effective security control that costs $100
is justifi ed. In contrast, spending a few hundred dollars to protect against the theft of a
$10 mouse is not a justifi able expense. Instead, an organization will often accept risks
associated with low-value assets.
In the context of access control attacks, it’s important to evaluate the value of data. For
example, if an attacker compromises a database server and downloads a customer database
that includes privacy data and credit card information, it represents a signifi cant loss to the
company. This isn’t
always easy to quantify, but attacks on Equifax provide some perspec-
tive. (See the sidebar “Data Breaches at Equifax.”)
data Breaches at equifax
Equifax, a consumer credit reporting agency, suffered several attacks in 2017. It report-
edly suffered a major breach of its computer systems in March 2017. While Equifax didn’t
report any data breaches from this attack, some analysts indicate that attackers probably
installed some remote access tools (RATs) to gain a foothold into the company’s IT net-
works, allowing them to launch other attacks in 2017.
In
September, Equifax announced a data breach that exposed data on about 145.5 million
U.S. individuals. The data breach occurred between May and July and exposed data such
as fi rst and last names, addresses, birth dates, and social security numbers. About 10 to
11 million of these records included driver’s license numbers and credit card numbers
for 209,000 U.S. individuals. The data breach also exposed data for as many as 44 million
Britain residents and about 8,000 Canadians.
638
Chapter 14
■
Controlling
and Monitoring Access
In October, the Equifax website was modifi ed by attackers. Some pages redirected users
to a different site, offering a malware-infected update for Flash. Some of these acted as
drive-by downloads. Users only needed to click the link, and their computer was infected.
Other pages encouraged users to download and install a malware-infected fi le.
There’s an important lesson that responsible organizations can learn from these attacks.
The May attack was preventable. Attackers took advantage of an Apache Struts web
application vulnerability that could have been patched in March. This indicates a lack of
a comprehensive patch management program. Additionally,
security experts reported
that they were able to log into the Argentina Equifax web portal using the account of
admin
and a password of
admin
in September. This was after Equifax reported the data
breach that occurred in May and July. Lawyers are sure to imply that these are patterns
of negligence.
The Equifax data breach can negatively impact the fi nances and credit ratings of tens
of millions of individuals for years to come. It is also impacting Equifax directly. Shares
dropped 35 percent within a week after Equifax offi cials publicly announced the data
breach in September. This effectively wiped out about $6 billion of the company’s mar-
ket value. One class-action lawsuit is seeking $70 billion in damages. The U.S.
Internal
Revenue Service (IRS) reportedly suspended a $7.2 million contract with Equifax after
the October attack. Additionally, the Federal Trade Commission (FTC) reported that it is
investigating Equifax, and legislators are urging other federal agencies to investigate the
company too.
Do'stlaringiz bilan baham: 
