The breach of a major organization should never be blamed on a single individual. With news that this week's Uber hack was due to the theft of login credentials from a weary Uber contractor many (including the company itself) have felt inclined to lay the blame solely on this single worker: a bad, lazy apple who does not reflect Uber's total security apparatus. This point of view is short-sighted and convenient for the rideshare giant, as it deflects blame that should be targeted at Uber's entire security culture. The attack - which resulted in the breaching of the company's internal systems and has numerous ongoing threat implications that are still being understood - should be seen as a failure of Uber's companywide approach to cybersecurity. Any major corporation that can be severely compromised due to one contractor's MFA fatigue is not a company that takes security as seriously as it should. While Uber aims to stem the damage (both internally and to its reputation), it should be cognizant of the fact that investing in proper Security Awareness Training would be much more beneficial than playing the blame game.
Cybersecurity spending for organizations can sometimes be a contentious issue, particularly as hackers develop new techniques and news of breaches befalling organizations that have heavily invested in cybersecurity cause board members to wonder what their security budget is paying for.
This dissatisfaction, both with operational inefficiencies and the inability of certain security services to adapt to ever-changing security risks, has caused some organizations to consolidate their cybersecurity solutions. In a recent report published by Gartner, it was revealed that 75% of organizations are "pursuing security vendor consolidation" in 2022, a nearly threefold increase from 2020. This survey, conducted over Spring 2022 with over 400 international organizations, highlights a growing trend in cybersecurity spending, as companies are willing to partner with fewer vendors claiming to offer more adaptable, cost-effective, and robust security services.
While the impulse to partner with security vendors who claim to do the work of five teams for a fraction of the cost is enticing, it is important to note that these solutions are only as strong as the companies offering them, as well as the ability for these solutions to be seamlessly integrated on an organization's network. Good cybersecurity people and processes drive good results, and the allure of an all-in-one security solution must not obscure the work needed for implementation, nor the reputation of the companies touting these magic cure-alls.
A hallmark of successful threat actors is their ability to exploit overlooked or insecure entry points. This week, this strategy was proven successful yet again in the exploitation of Mitel's VoIP Systems.
Voice over Internet Protocol (VoIP) refers to the method and the series of technologies utilized to make voice calls over the Internet rather than a standard telephone line.
VoIP tech commissioned by Mitel, a Canadian telecommunications company that specializes in VoIP technology, became the entry point of a ransomware attack by the Lornenz ransomware group, who exploited a remote code execution vulnerability in Mitel's MiVoice Connect to gain access to connected devices of organizations that utilize the platform, knocking out communication capabilities and leaving these devices open to the prospect of 'double ransoming' (wherein sensitive data found on these devices is stolen and ransomed as well). While the security flaw was soon patched by Mitel, this attack shows the threat potential of Mitel's VoIP technology, and the need for organizations that use this tech to make sure it meets their safety standards through internal audits and security patches. Ransomware groups that are lucky, determined, and creative enough to find previously unrecognized entry points for their nefarious activities will often be rewarded. It is up to organizations and their security teams to stay vigilant regarding these evolving tactics.