Austal breach analysis a reminder that Australia can do better on credentials

As cyber criminals capitalise on COVID-19 chaos, CSOs should take time to improve credential hygiene.

silver platter passwords exposed authentication hacked vulnerable security breach
matejmo / andyL / Getty Images

Poor password hygiene is hardly breaking news — but as forensic analysis suggests that password theft facilitated a data breach at Australia’s largest shipbuilding company, CSOs may want to take advantage of the disruption of the COVID-19 coronavirus pandemic to overhaul their password management once and for all.

The opportunity may not come again for a long time, says Marc Rogers, a long-time hacker turned executive director of identity management firm Okta.

In his earlier days as a corporate CSO, Rogers remembers how hard it was to get and sustain corporate enthusiasm for pandemic plans. “People would look at them, then look at the cost of doing the compliance work to set them up, and you would struggle to find the budget to do that because it was competing with other things like product budgets,” he told CSO Australia.

Yet with executive attitudes rapidly changing thanks to the recent increased activity around the COVID-19 coronavirus pandemic, he says, “companies are going to be a lot better prepared for the things and engagement tomorrow is going to be a lot easier.”

Forensics analysis shows password compromise led to Austal’s breach

That’s small consolation for Western Australia-based shipbuilder Austal, which has only just finished a forensic audit of a November 2018 core systems data breach that saw “some staff email addresses and mobile phone numbers” accessed. The responsible cyber criminal tried to extort money from the company to prevent the release of “certain materials” online, the company said in a statement issued after the breach was discovered.

A February 2019 update noted that the firm, with the help of the Australian Federal Police and Australian Cyber Security Centre, had conducted a “thorough review of its IT systems and security arrangements” and implemented “significant network improvements” including “additional security layers.

Now, 18 months after the breach, Austal has completed its forensic analysis and pointed its finger squarely at the compromise of passwords — which were sold on dark web sites and used as the basis for credential-stuffing attacks against the company.

The hacker was only caught because he or she tripped a usage alarm while collecting information to steal from the company — which triggered the investigations that eventually revealed the extent of the password compromise.

Today’s credential attacks ‘like nothing we’ve ever seen before’

The breach was an ignominious downfall for a major defence contractor that supplies warships to armed forces in Australia, the United States and elsewhere.

For other CSOs, however, the event is a reminder about the importance of good password management, even in Australia — where one recent study found Aussie users were poor in this area but still better than most overseas peers.

Indeed, Austal’s experience is hardly unique: Fully 29 per cent of the 2019 breaches analysed for Verizon’s Data Breach Investigations Report (DBIR) 2019 were attributed to stolen credentials — the type of data identified as being as frequently stolen as internal data.

Credentials, the DBIR found, comprised fully 53 per cent of data stolen in breaches of educational services providers often targeted for their many vulnerabilities and large base of potentially exposed users.

Ditto financial and insurance providers, whose data is particularly prized by cyber criminals who stole credentials in 38 per cent of attacks on companies in that industry.

Manufacturers like Austal are particularly vulnerable to the use of stolen credentials, Verizon found, noting that 59 per cent of breaches against manufacturing companies involved phishing and credential theft — with credentials often used against web applications to exfiltrate valuable data.

With cyber criminals increasing their activity during the current crisis and remote workers further complicating the situation, CSOs should take the opportunity to revisit their security business cases — and use the current crisis as a pivot point for better protection going forward.

The imperative has long been there but post-COVID analyses are likely to show even higher rates: Just weeks into the pandemic, Rogers says, the observed surge in cyber criminal activity “pretty much amounts to World War Cyber.”

“We were expecting something,” he said, “but we’re seeing attacks coming from almost every country in the world — and seeing phishing emails in pretty much every language known to man. It’s like nothing we’ve ever seen before.”

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies