One good thing about breach notification laws – we tend to find out more information about what actually happened.
Last month Citrix announced that hackers broke into their network and stole documents – corporate secrets. They said they found out when the FBI came to tell them (that probably was not fun to admit). Security firm Resecurity said that the hackers stole 6 terabytes of data. Citrix said it was part of a sophisticated counterespionage campaign by a nation-state.
Now we are hearing more of the story because Citrix is required to report the breach to the California Attorney General. The letter says, in part, that they got a visit from the FBI on March 6. They started an investigation after being notified and currently believe the hackers got in around October 13, 2018. This means that the hackers had access to the systems for about 5 months before the FBI told them. As opposed their their original statement that the hackers stole business documents, they are now saying that they stole, among other things, documents about current and former employees and their dependents. This includes personal and financial information.
In a stroke of brilliance, Citrix selected Equifax, the company who had the largest breach of personal information in US history, to provide identity theft protection.
Citrix is also admitting that the hackers likely got in using a password spraying attack. Password spraying is where hackers use millions of passwords taken from old breaches and try them at random. Not exactly a high tech attack.
This likely indicates that Citrix was not using multifactor authentication – otherwise password spray attacks would not work.
So, one of the premier tech companies, who is a vendor to the federal government, was unaware that hackers were inside their systems for 5 months and stole 6 terabytes of data and the only reason their found out what that the FBI told them.
They also, apparently, did not have sufficient logging and alerting in place to detect the theft of 6 terabytes of data.
And while Equifax’s breach response services may be okay, the optics of it are terrible.
It appears from what they are saying that these attackers got in by the digital equivalent rattling doorknobs until they found one where the lock fell off in their hand.
If I was a customer of Citrix, I would be looking at a different vendor.
Now here is the important part.
WOULD YOU DO ANY BETTER?
OR WOULD YOU ALSO HAVE TO WAIT FOR THE FBI TO COME TELL YOU THAT YOU HAVE BEEN HACKED?
If you don’t know the answer to that question and cannot confidently explain why, then you may be in the same boat as Citrix. And right now, that boat has holes in it and is taking on water.
If you need help, come talk to us. It will take work, but it is doable. Source: The Register.