While I was flipping through some news stories the other day, a small headline appeared that piqued my interest.
The headline reads: Former St. Louis Cardinals Exec Pleads Guilty To Cyber Espionage Charges
Cyber espionage… in baseball? That was too intriguing to pass up!
It essentially describes this: employees from one club, the St Louis Cardinals, left to join another club, the Houston Astros. During their previous tenure with the Cardinals, they had built databases of scouting and talent reports. When the employees joined the Astros, a very similar database got constructed.
The Cardinals are now concerned that their intellectual property has been misappropriated. So they used a list of “master passwords” that were in use at the time their databases were built, and use those, or variants of those, to break into the Astros databases.
In one instance, Correa was able to obtain an Astros employee's password because that employee has previously been employed by the Cardinals. When he left the Cardinals organization, the employee had to turn over his Cardinals-owned laptop to Correa – along with the laptop's password. Having that information, Correa was able to access the now-Astros employee's Ground Control and e-mail accounts using a variation of the password he used while with the Cardinals.
There are a few things are going on as described in the release. Let's examine them.
- The employee obviously reused passwords, or close variants, and in this case carried them over from one organization to another. This very common practice by humans lends us to believe that security awareness training was not conducted well or not enforced.
- The databases were presumably web-enabled applications from the descriptions. It does not appear that proper account control was used, such as restricted logins
- From the DOJ release at least four intrusions occurred before the Astros required all users to change their passwords to something more complex. Was monitoring being done, or was this a lucky break?
- However … when they reset the passwords, they emailed the default passwords out to the users …which were intercepted because email accounts were in control of the attacker. Very common security gaffe made by operational teams.
- Several more intrusions happened before the intruder was finally caught & identified.
The intruder was finally charged with five counts of unauthorized access of a protected computer. Each conviction carries a maximum possible sentence of five years in federal prison and a possible $250,000 fine. Sentencing is set for April 11.
Espionage is not just a cloak and dagger drama played out by three letter agencies. It can happen in the unlikeliest of places, even baseball. It stands to reason that you and your organization are just as exposed.
The question then is: are you enabling corporate espionage by not having real, enforceable security controls for your organization?
To answer that question, you need to look at how you are managing security in your organization. Let's just look at the points mentioned above.
Security awareness training is an important, but often overlooked and underfunded tool that builds good security behaviors into your organization.
Security awareness is recognized in several control frameworks as an essential element to your security program. NIST 800-53 (AT, SA & PM), HIPAA 164.308(a)(5), PCI 3.0 (12.6), ISO27000-2013 (A.7.2.2) and CIS Critical Control 17 all refer to security awareness training.
NIST 800-53 has security awareness guidance, in control AT-2. The control states the organization provides basic security awareness training to information systems users as part of initial changes, when required by information system changes, and on an organizational defined frequency thereafter.
The common mistake with frequency is that organizations choose annual or bi-annual timeframes. If you want a behavior to become habitual, you need to reinforce it as often as possible. Awareness education also needs to be fresh. You don't have to spend a lot of money or resources on this. It can be in the form of reminders newsletters, or stories around the water cooler like this one from current events to help describe desired behaviors.
Account Monitoring and Control
Proper account monitoring and controls, especially for web-exposed applications are extremely important, as attackers will frequently impersonate legitimate users. NIST 800-53 (AC), HIPAA 164.308 and 164.312, PCI 3.0 (7.1 – 7.3 and 8.7 – 8.8), ISO 27000-2013 (A.9.xx) and CIS Critical Controls number 16 all reference account monitoring and control.
The first step is to ensure accounts which cannot be associated to a business process and owner are disabled. Then sweep all old accounts and remove them. Attackers will take advantage of dormant accounts to get into a network. All user accounts should have expirations.
Monitoring account activity is also required to spot suspicious activity. A SIEM can spot patterns of use that might trigger an alert (such as logging into a system after business hours), or a login from a restricted IP can be flagged. As Yogi Berra once said, “you can observe a lot by watching.”
Default Password Handling
From a process perspective, default passwords should never be emailed. All default passwords should require some form of authentication of the user. This could be a call into support, or a visit to the desk. Attackers can gain control of a users email account, and when passwords are set or reset, the attacker will have access to the account. Human to human interaction for default passwords, with a proper authentication step, is the safest way to distribute passwords.
The situation that happened to the Astros could have been prevented or discovered early, and the damage might have been reduced. Take a close look at your account control policies and practices, your web-enabled applications security, and your fraudulent activity monitoring. When was the last time these controls were validated? Do they even exist? As for user awareness, when was the last time they were told about bad passwords and the dangers of re-use? This baseball story is one you can use to illustrate why re-use behavior is bad.
I don't always agree with the famous quote by Eldrige Cleaver, but in this case it's very appropriate: “You are either part of the solution or part of the problem.”
And to quote the famous Yogi Berra, “It ain't over ‘til it's over!”