Zacks Investment Research Data, a major stock market data research provider, revealed a major breach in their network allowing attackers to expose 820,000 individual’s data. This data included names, phone numbers, passwords and email addresses. Such information is especially useful for malicious actors running phishing campaigns, credential stuffing attacks and other popular social-engineering scams.
Threat actors accessed an older database containing Zacks Elite Product user records dating from November 1999 to September 2005 containing these records, to make matters worse it was revealed that the vulnerability had been exploited and left open for around 9 months, from November 2021 to August 2022 .This is a significant example of poor security posture, increasing the number of variables that need to be accounted for and increasing a networks attack surface.
Poor Response Techniques
Zacks was criticised by cyber security experts such as KnowBe4’s Roger Grimes for poor mitigation and response tactics following the breach. This included taking a month to notify customers officially of data exposure, stating that ‘more than a month to notify affected customers that their current passwords, often shared with other unrelated sites and services, seems a bit excessive’.
Zacks later disclosed that a second breach had happened prior to this, affecting 10 times the customers and totalling 8.8 million exposed user accounts, most notably including unsalted SHA256 hashes. This was enough to be featured various breach notification services such as HaveIBeenPwned and Dehashed.
Improving Security Posture
Preventing further breaches and responding to incidents can be improved with an ISO 27001 assessment of an organization’s current security posture.
- Access Control Policy (A.9.1) – Detecting, reporting assessing and responding to incidents. This includes user rights management, access control and user authentication provisions.
- Information Security Management Policy (A.16.1) – Appropriate procedures for detecting, reporting, assessing and responding to information security issues including roles and responsibilities, escalating procedures and steps for mitigating incident impact.
- Supplier Security Policy (A.15.1) – Clearly outlined governance of external suppliers and service providers to ensure the security of information assets. While this wasn’t the direct cause of the data leaks, it’s important to include as external entities with access to sensitive data can increase an organization’s attack surface.
- Data Protection and Privacy Policy (A.18.1) – Establishing an organization’s commitment to protecting the confidentiality, integrity and availability of personal data and ensuring transparency regarding data processing with concerned parties is an important and legally necessary step to ensure compliance.
- Monitoring and Review Policy (A.12.1) – Strong governance of an organizations security processes and info-sec controls, including regular security assessments, audits and reviews of policy helps catch any chinks in the armour before they’re found by malicious entities.
- Network Security Policy (A.13.1) – This policy defines the organization’s approach to network infrastructure, which is particularly relevant in this case. Measures such as network segmentation, firewalls and intrusion detection systems can help minimize an attack surface by isolating critical assets and controlling the flow of traffic between different network segments.
While it’s not a specific ISO policy, having a system hardening policy is also essential for reducing an attack surface by securing the configuration of IT systems and devices. This policy in particular would work on slimming down the number of unnecessary services and applications while applying routine security patches and updates, configuring secure default settings and disabling unused features. The practice of minimising the number of overall variables that need to be accounted for is massively helpful in preventing data breaches in any organization.