As renowned ghost hunter and solver of mysteries Scooby-Doo would say, “Ruh roh, Raggy!” It looks like more than ghosts are wreaking havoc on haunted networks. We’re less than a full week into October, and Cybersecurity Awareness Month isn’t quite taking shape the way we expected. Ostensibly, orgs decided to pivot and use this time to confess their sins before Halloween. This year, the magical mystery machine includes some copies of FTK and volatility. Fred, Daphne, Velma, Shaggy, and Scooby-Doo are all licensed private investigators ready to testify on the stand. Let’s take a trip through what’s happened so far and the lessons we’ve learned.
Luckiest Breach Announcement Timing … Ever?
Before October 4, you likely had not heard of Syniverse, though it works with 95% of the top 100 telecoms in the world. If you learned about them on October 4, it was first thing in the morning, and then … other stuff happened. Unfortunately, your texts, call records, and more were likely hoovered up by hackers in yet another third-party telecom breach. What makes this breach unique — for now anyway — is that the unauthorized access went unnoticed or undisclosed for five years, topping SolarWinds by an order of magnitude. It also highlights the risks of SMS and geolocation data, which could play a critical role in misinformation/disinformation and espionage.
Facebook disappeared from the internet — literally — and that effectively buried the Syniverse news under a mountain of speculation about the Facebook outage. In an ironic twist of fate, Facebook, one-time social network and now disinformation distribution platform, simultaneously contended with the outage and experienced a deluge of rumors on the cause. Speculation ranged from an insider show of solidarity with the whistleblower to the opposite, using the outage to draw attention away from the whistleblower testifying to the US Congress. The truth is less salacious but far more realistic: A faulty configuration change interrupted communication between data centers.
While Facebook data centers could not communicate, few tried to communicate at all about Syniverse. And that’s troubling, since Syniverse “processes 740 billion texts yearly and has over 300-plus direct connections to mobile operators” per its website.
This breach is not limited to an individual consumer’s text messages and records. Twilio is a minority owner of Syniverse and is mentioned as one of its major contributors to revenue, behind only AT&T. That makes this breach relevant from a B2C and B2B perspective, given Twilio’s reach into the developer world.
The long tail of this breach will have far-reaching consequences as Sen. Ron Wyden told Motherboard: “The information flowing through Syniverse’s systems is espionage gold.” Expect security and privacy events that trace back to this one for years.
Attackers Reveal How Twitch Fails Livestreamers
In what’s certainly damaging to users — but perhaps more so damaging to the platform itself — Twitch, the dominant livestreaming choice for content creators, experienced a massive data leak. This one features partner, platform, and product security issues. And perhaps the ugliest part of all, it provides a serious glimpse into gender and racial pay gap disparities between content creators. The payout rates negotiated between Twitch, sponsors, and streamers are now publicly available and exposed. There’s zero doubt Twitch — already facing competition from YouTube for streamers — could see a talent exodus as feelings of unequal treatment get confirmed as fact. As a platform, Twitch sits between content creators, sponsors, advertisers, and viewers facilitating and monetizing parasocial relationships. That ecosystem requires trust, which data breaches and disclosure of sensitive intellectual property threatens.
Breaches often come at the worst possible time, and Twitch already had serious issues with content creators facing harassment from viewers and other streamers on occasion. Hot tub streams, hate raids, swatting, racism, and sexism plague Twitch. A data breach is not the most serious problem the company faces given those other items, but it’s certainly not making things easier.
The Power Of Incident Response Compels You
If the month keeps going the way it is, by Halloween the “X” in XDR (extended detection and response) might stand for eXorcism, given the ratio of breach announcements to days of October we’ve experienced so far. Add on to this the volume and severity of breaches reported in 2021, and we’re swimming in pea soup. Yet, according to Forrester Analytics Business Technographics® Security Survey, 2021, just 12% of respondents list breach and attack simulation as a top information/IT security priority over the next 12 months.
Now is not the time for Scooby and the gang to sit around eating snacks! Firms should revisit, revise, and rehearse incident response and crisis management plans at least biannually, if not quarterly, to keep up with attackers and their tactics. At least one of those breach simulations should be a ransomware attack, and all exercises should assume data exfiltration. Those concerned about data that could come from Twitch should consider a crisis management exercise.
For customers, platforms, and partners, trust is on the line. Don’t wait until the incident is underway to assemble your crisis management ecosystem of critical third parties like legal, digital forensics and incident response, and PR to ensure notifications, handoffs, and all communication flows smoothly, and consider media training for key executives who will be seen as the face of any crisis affecting your firm.
Zero Trust To The Rescue
The old way to approaching security architecture is already widely known to be a failure from a technical perspective (see the above examples if you aren’t convinced). Add in the business realities of the interconnectedness of relationships between platforms, partners, and customers without shifting your strategy, and security, risk, and privacy leaders will get totally left behind, which makes a shift to Zero Trust architectures a requirement.
Customers and business partners demand dependability and trust that you’re protecting the entire ecosystem by forgoing inherent trust in any user, device, or system. Zero Trust enables you and your ecosystem to be both resilient and protected. At the end of the day, organizations don’t want another mystery on their hands, and isn’t it more fun to be the meddling kids and dog that didn’t let the bad guys get away with it?