Cyberweekly #6 - Whose fault is a breach anyway?
Published on Saturday, June 30, 2018
This week saw an interesting breach of the Ticketmaster payment processing system. A third party, Monzo, noticed the breach months before Ticketmaster were able to confirm it. Ticketmaster claim it wasn't their breach, but one of their suppliers, the supplier admits being hacked but claims it wasn't their responsibility as they didn't recommend putting the javascript onto the payment processing pages.
As the complexity of web applications and technology estates grows, it's going to become harder and harder to work out the impact of a breach, and to determine who is responsible for keeping the users data safe. The world we live in is complex and difficult, and nothing will ever be clear and simple about this stuff.
In newsletter news, a few people haven't got some of the more recent editions. I contacted TinyLetter and the best they could recommend was to add cyberweekly@brunton-spall.co.uk to your address book which should whitelist it from spam filters.
Anyway, enjoy this weeks reading and analysis
Inbenta and the Ticketmaster Data Breach - Inbenta
https://www.inbenta.com/en/inbenta-and-the-ticketmaster-data-breach/
"The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018" How the attack was able to modify a script held on a server is not clear here. The separation of responsibilities between the organisations here is very blurry and grey and it was obviously not clearly identified
Monzo – Protecting customers from the Ticketmaster breach: Monzo's story
https://monzo.com/blog/2018/06/28/ticketmaster-breach/
"By the next week, another nine cards had been used fraudulently and all of them had been used to make Ticketmaster transactions. One of those cards had been previously used for an attempted transaction at Ticketmaster, but the expiry date had been typed incorrectly so the transaction had failed. That same (incorrect) expiry date was then used in an attempted fraudulent transaction on the Monday, providing further evidence that Ticketmaster was the source of the breach." This is a great bit of sleuthing by the Monzo security team. Do you think you could do this level of introspection in your secops/fraud/siem tool, and if not why not?
A technical primer on blockchain | Deloitte Insights
“While many challenges may remain, from lack of regulatory and legal frameworks to rapid technology changes, from talent gaps to consortium building, it is important to not underestimate the impact of blockchain. Every transaction platform and fabric that we know today will likely be either improved or replaced by a blockchain-based solution. “ Deloitte are, perhaps unsuprisingly, bullish on Blockchain. It’s coming whether you want it or not. This article does outline Blockchain or distributed ledger solutions quite well, but avoids commenting on any of the downsides. It’s worth being aware of Blockchain technologies so that when we start seeing Blockchain powered security solutions you can tell the snake oil from the real opportunities.
Revenge of the PMO | Silicon Valley Product Group
https://svpg.com/revenge-of-the-pmo/
“. I can’t imagine any of the strong tech product companies I know choosing to move to SAFe, and if for some reason they did, I’m pretty certain their top talent would leave.” Strong words from Marty Cagan on the Scaled Agile Framework. This is my experience as well, organisations trying to do agile at scale miss the power of self empowered teams that can self direct is the entire point of agile.
Agile Makes No Sense – Hacker Noon
https://hackernoon.com/agile-makes-no-sense-c8ebbf971012
“Astute observers quickly realize that agility on the team level is but one part of the puzzle. Even when Agile on the team-level makes sense, you need that other part to make sense. The rest of the org was probably the blocker in the first place.” If we assume for a second that Cybersecurity reform is lagging around 10 years behind agile reform (which is my rough estimate and possibly generous), then articles like this are showing what we might be learning in the next 5 years in Cybersecurity. This final phrase is key to me, even if we get our own house in order, the chances are the rest of the organisation doesn’t know what to do with a high performing security team even if it did exist.