Superglue Security breach results in the loss of nearly 2 million customer mortgage records from Countrywide, one of the nation’s leading mortgage providers.
Apparently, the firm’s USB policy was to glue the ports to prevent their use, and they missed one. An insider took advantage of this hole in their security, and every Sunday evening for approximately 2 years, this individual allegedly copied approximately 20,000 customer records to a USB mass storage device.
Let’s just examine this scenario for a moment. I appreciate that in a large organization it can be costly to deploy desktop-based solutions that monitor and prevent the use of USB storage devices. I also pity the poor guy that ran around with a glue gun, and question how they addressed USB keyboards and mice, but let’s be honest - the glue, or lack thereof, was not the problem - not on one PC, not on a thousand.
Countrywide has databases full of highly confidential, and extremely valuable information - valuable both to the company, and obviously on the black market. Naturally, that begs the question, was the glue their only access control method? Were they so confident in its ability to thwart all attacks, that database auditing, user identity and access monitoring or even basic application auditing were completely ignored - for two years?
It’s easy to rush to judgment, but from the publicly available information on this case, there was an obvious breakdown in event monitoring. I suspect that Countrywide, like most organizations, employs many layers of network defense, and these defenses are generating a literal ocean of log data. As is often the case, it’s simply impossible to do an effective job of analyzing this data without some form of automation. In some cases, the data is captured and stored for search and compliance purposes, but without correlation and analysis this data lacks a critical ingredient: context.
What do I mean by context? Let’s examine what we know about this situation, and that will put the “context” of this situation into perspective.
Obviously, the employee in question possessed whatever physical access control was needed to get into the building. He also had perfectly valid credentials to access the network. Likewise, he was an authorized user of whatever application provided access to the customer data. When viewed as individual data points, there’s nothing unusual in this information and assuming all of this activity was logged, and archived for compliance, theres really nothing suspicious about this activity — and no reason for it to have captured anyone’s attention — and it never did.
Now, let’s give this same information some critical “context”. The employee entered the building on Sunday evenings, logged onto a workstation, fired up some application, queried the database, retrieved 20,000 records, inserted a USB mass storage device and copied the data to that device - from a workstation that was not even his normal location.
Let’s look at this as it could been seen with event correlation:
- Physical access outside business hours
- Network access outside business hours, from an unusual location (the exposed PC)
- Application access outside business hours, from an unusual location
- Database access outside business hours, from an unusual location, resulting in over 20,000 records being retrieved
- Insertion of a USB mass storage device (a policy violation, but they were blind to this activity)
- Copying data to the USB device (again, the organization was blind to this activity)
When viewed as whole, a picture of clearly suspicious activity emerges — that’s context.
Is it reasonable to expect that they could have seen this picture? Absolutely!
Assuming that Countrywide has fairly typical security systems and audit best practices in place, this activity would have generated a significant audit trail that could have been correlated, in real-time, to alert the security team to some highly suspicious if not clearly malicious activity.
The lesson here goes well beyond the Superglue Security hole. Identity, access, application and location data is readily available in most environments, but without correlation this data lacks the context needed to detect and prevent insider abuse. It’s the ability to provide real-time correlation that distinguishes security information and event management (SIEM) technology from log management, aggregation and search-based products. TriGeo SIM, for example, ships with over 650 correlation rules — that includes “out of the box” rules that could have easily identified the activity listed above, notified the security team, and even stopped this guy in his tracks.
Leave a Reply