Cyber Security Data Breach Case Study

v
INFORMATION SECURITY
ASSIGNMENT
Equifax bank

Submitted to:

Muhammad Zunnurain Hussain

Submitted by: Muhammad Bilal Rafi
Cyber Security Data Breach Case Study
1. Introduction to the Case?
It has been revealed that a huge MongoDB database exposing 275,265,298 records of Indian
citizens containing detailed personally identifiable information (PII) was left unprotected on
the Internet for more than two weeks. Security Discovery researcher Bob Dyachenko
discovered the publicly accessible MongoDB database hosted on Amazon AWS using
Shodan, and as historical data provided by the platform showed, the huge cache of PII data
was first indexed on April 23, 2019.(Singh, 2019)
2. Identify and explain which of the following data breach type applies to your chosen
organization:
Discovery researcher Bob Dyachenko discovered the publicly accessible MongoDB database
hosted on Amazon AWS using Shodan, and as historical data provided by the platform
showed, the huge cache of PII data was first indexed on April 23, 2019. This contextual
analysis unmistakably focuses towards the "Personally Identifiable
Information” (PII) to be the kind of the information break that occurred.
PII is the individual data of the person through which he is perceived and separated.
It is characterized as the data:(Chaturvedi, 2010)
 That straightforwardly distinguishes the individual (name, address, email address, contact
number). It is of a department that is connected with the person. (Grimes, 2019)
MongoDB has offered the ability to limit remote access since its early days. Version 2.6,
released in April 2014, turned it on by default in certain distributions, while version 3.6 turned
it on across all available versions of the product.

Whoever put this thing online was using an old version they hadn’t reconfigured, or a newer
version with the protection disabled. They might do that for convenience, ignorant or uncaring
about the security implications.(Celesti, Fazio, & Villari, 2019)

Naked Security asked MongoDB why it couldn’t just force developers to turn on authentication
whenever they deliberately removed the remote access protections on the database. A
spokesperson told us:

We respect that our innovative users ask for freedom to set their own course and we do what
we can to keep that possible, while at the same time answering to the standards of care expected
in safety-conscious measured operations. That balance has meant offering both a frictionless
experience for developers and a thorough configuration guide to complex controls like
authentication. We believe setting localhost by default puts users in a mode where they have to
make a conscious decision about their own appropriate path to network safety.
.

3. Recommend five controls from the 20 CSCs to protect it. Please refer to 20 CSC
document provided.
S.no CIS CSC Identify Protect Detect Respond Recover

1. Secure
Configuration of IP
End-User
Devices.

2. Continuous
Vulnerability RA CM MI
Assessment &
Remediation

3. Account
Monitoring and AC CM
Control

4. Data Protection
DS
5. Application
Software IP
Security

4. Assess the impact of the breach on the organization

S.no Impact Of Breach

1. Organization loses all the personal data of people they have.

2. People blamed for causing identity-theft.(Naik, Dandagwhal, Wani, & Giri,

2019)

3. Organization get a lot of loss because it lost many its customer after that.

4. People blamed the organization for its incapability if they could not even
properly protect their personal detail.

5. Attackers make change in the whole data and change the original with the
incorrect one.(Naik et al., 2019)

6. Organization administrative accounts get hacked.

5. Identify at least four security issues the organization was facing before the breach.

S.no Security Issue

1. People lost their personal information people complained that unknown people tried
contacting them.

2. Someone illegally creating issue in administrative account. Maintenance, Monitoring,

and Analysis of Audit Logs.

3. Someone illegally accessed with the user personal accounts and using their data.
Inventory of Authorized and Unauthorized Devices(Mongodb1, n.d.).

4. Visitors reported they were receiving malicious emails(Singh, 2019).

6. For each security issue identified in the previous question, recommend a suitable
control and proper tools. Please refer to 20 CSC document provided.
S.no Security Issue CSC Control Security Tools

1) People lost their personal Data protection • • Firewall

information people •
complained that unknown Antivirus
people tried contacting • Intrusion Detection and
them.
Prevention Systems
Access Control (Rama,
Charan, Dasari, & Ram,
2019)
 2) • Someone illegally Controlled use of • SolarWinds access rights
creating issue in administrative manager
administrative account privileges • Manage engine AD-360
and using their data. • 389 Directory Server
Maintenance,
Monitoring, and
Analysis of Audit Logs

3) Someone illegally Account • Nagios (monitors hosts,

creating issue in monitoring and systems, and networks,
administrative account. control delivering alerts in real
Inventory of Authorized time.)
and Unauthorized • Argus (open-source tool
for network traffic
Devices.
analysis)

4) Visitors reported they Email and web • Barracuda Essentials.

were receiving malicious browser protection
emails. • Barracuda Email Security
Gateway (Gyorodi,
Gyorodi, Pecherle, & Olah,
2015)

7. For the previous question, link each tool with proper risk decision (defence,
transference, mitigation, acceptance, termination).

S.S.NO Security tool Risk Decision Reason

Security Tool Decision
1. Firewall Defence • Firewall monitors network traffic. It
basically creates a secure network
within which only secure information
can get inside and only allowed data can
be sent outside. If firewall is placed
outside the database in which voters’
personal information is saved, then no
unauthorized person can dare to get
inside it.
• With the increase in criminal cases like
data-theft, criminals holding systems
hostage, firewalls have become an even
important part of every system. It will
prevent hacking of the administrative
accounts of the Elector application. It
will stop hackers from having (Rama et
al., 2019)
unauthorized access to people’s private
data.
• Firewalls also stop spyware from gaining
access and getting inside your system.
As the system becomes more and more
complex, there are then more entry
points for the criminals to get into your

system.

2. SolarWinds Defence • It will only provide access to the authorized

person. Anyone who tries to log into the
access rights administrative account might not be even
manager able to cross the security check as it involves
two-way authentication and OTP (one-time
password). This is how it will be providing
defence to the application.(Gyorodi et al.,
2015)
 3. Nagios Mitigation • Softwares like Nagios monitor hosts, systems,
and networks and delivers alerts in real-time.
This way it reduces the damage caused by a
vulnerability by adopting measures that limit
attacks. The organization could use Nagios to
control and manage account activity like what
was the last seen, the location from where the
last sign in was attempted and what activities
were carried out during the time someone last
time signed in.

4. Barracuda Defence • The software blocks phishing attacks, DDOS

attacks, viruses and malware and saves the
Email
email receiver from infecting his/her mobile
Security phone or even laptop. This way people could
control what kind of emails they wanted to
Gateway receive and could refrain from receiving
malicious or spammy emails.(Rama et al.,
2019)

8. If you have a very low budget for security, which tools you will use? Explain pros and
cons.

Kali Linux
Kali Linux is an amazing Linux distro based on Debian, and it is created for offensive
security purposes. We don’t recommend this Linux distro if you are a beginner and
don’t know anything about Linux. Apart from it, Kali Linux is also best if you are doing
programming or doing web or any other development. If you want to use it, you can
easily download and install the latest version of Kali Linux. Apart from it, Kali Linus
also gives complete control to configure the distro as per your requirements.
Pros and cons:

• It can make your system a bit slower.

• It can corrupt your system.
• Sometimes software creates issues.

• Kali Linux supports various languages.

• Users can easily locate the binaries.
• It is an open-sourced tool, so it makes access easier.
 Explain with an illustration a security architecture that should provide the blueprint and
guide the Organization's security program.

• Advanced Security/Data Encryption (TDE)

Protects your data at rest, by encrypting data on disk including your RMAN
database
• Audit Vault
Provides an enterprise security monitoring and auditing platform, and compliance
to HIPAA and other standards
• Database Firewall
Creates a defensive inner-perimeter that monitors and enforces normal application
behaviour, helping prevent SQL injection, application bypass, and other malicious
activity from reaching the database
• Data Masking
Ensures confidentiality by preventing sensitive or confidential parts of the
information from being disclosed to unauthorized parties
• Database Vault
Implements preventive controls on privileged users, to prevent insider attacks

1. Create Separate Security Credentials

To enable authentication, create login credentials for each user or process that accesses
MongoDB. Suppose several users need administrative access to the database. Instead of
sharing credentials, which increases the likelihood that the account will be compromised, issue
each person their own credential and assign them privileges according to their roles, described
nexts(Singh, 2019b).

2. Use Role-Based Access Control

Instead of giving authorizations to individual users, associate authorizations with roles such as
application server, database administrator, developer, BI tool, and more. Predefined roles are
available out of the box such as dbAdmin, dbOwner, clusterAdmin, and more. Those roles can
be further customized to meet the needs of particular teams and functional areas while
ensuring consistent policies across the organization(Singh, 2019a).

3. Limit Connections to the Database

One way that data leaks occur is that an intruder gains remote access to the database. By
limiting remote connections to the database, you reduce this risk. The best practice is to allow
connections only from specified IP addresses, a practice known as whitelisting. With
MongoDB Atlas, the fully managed service for MongoDB, each Atlas project gets its own
VPC. For additional security, customers can enable VPC peering to the private networks
housing their applications to prevent access over the public internet(Celesti, Fazio, & Villari,
2019).

4. Encrypt Your Data

In most data leaks, the data is readable by unauthorized users. Encrypting data makes it
unreadable by those who do not have the keys to decrypt it.

Encryption can be applied in a number of ways:

• Encrypting data at rest. Encrypt the data where it is stored. At rest encryption is not
available for MongoDB Community Edition; it requires MongoDB Enterprise or
MongoDB Atlas.

• Encrypting data in transit. By default, with MongoDB, all data is encrypted in transit
using TLS.

5. Add Extra Encryption for Sensitive Data

A key feature of the MongoDB 4.2 release is client-side field-level encryption. Most
encryption is applied at the server. This means that if someone has access to the server, they
may be able to read that data. Client-side field-level encryption ensures that only relevant
parties can read their own data on the client-side using their unique decryption key(Chaturvedi,
2010).

9. Individual reflection (Minimum of 200 words): Summarize lessons learned from this
incident.

Even if security or DevOps teams can detect an unsecured database, among all the noise of
security alerting – and recognise its potential severity – responding to and containing such a
misconfiguration even in less than 13 hours may be a tall order, let alone in under 9 minutes,
so prevention is a much stronger defence than cure. For Mongo, access control needs to be
setup manually. However, secured or not, databases shouldn’t really be directly exposed to the
internet as they don't benefit from the same multi-factor authentication as other web services,
exposing them to credential stuffing and brute force attacks. Instead, they should be firewalled
off, or secured through a VPN. Ideally you should have some way of making this impossible
via policy, rather than simply trying to detect it when it happens. Most modern cloud platforms
can help in this task, and so organisations who have fully made the jump may benefit here.
Detecting it when it happens is the next best thing, and a solid backup for if (or when) the policy
control fails, or for cloud environments where policy enforcement is not an option. Intruder can
help with the latter. We identify and prioritise any exposed databases on your external
infrastructure(Singh, 2019a). For Mongo in particular, we’ll also make sure to let you know if
any unsecured instances are detected. Alongside daily checks for the latest emerging threats,
we proactively monitor for more elementary problems, such as when insecure ports and
services are opened up to the internet. Our reduced-noise reporting identifies and ranks areas
of the perimeter to target for optimal attack surface reduction(Naik et al., 2019).
References

Celesti, A., Fazio, M., & Villari, M. (2019). A study on join operations in MongoDB
preserving collections data models for future internet applications. Future Internet, 11(4),
1–17.
https://doi.org/10.3390/fi11040083
Chaturvedi, A. (2010). Security Challenges and Solutions in Mobile Smartphone Applications.
9(1), 1–21. https://doi.org/10.21275/ART20204190
Singh, S. (2019a). Security Analysis of MongoDB. International Journal for Digital Society,
10(4), 1556–1561. https://doi.org/10.20533/ijds.2040.2570.2019.0193
Singh, S. (2019b). Security Analysis of MongoDB Sahib Singh Heinz College , Carnegie Mellon
University. 10(4), 1556–1561.
Celesti, A., Fazio, M., & Villari, M. (2019). A study on join operations in MongoDB preserving
collections data models for future internet applications. Future Internet, 11(4), 1–17.
https://doi.org/10.3390/fi11040083
Chaturvedi, A. (2010). Security Challenges and Solutions in Mobile Smartphone Applications.
9(1), 1–21. https://doi.org/10.21275/ART20204190
Gyorodi, C., Gyorodi, R., Pecherle, G., & Olah, A. (2015). A comparative study: MongoDB vs.
MySQL. 2015 13th International Conference on Engineering of Modern Electric Systems,
EMES 2015, (June). https://doi.org/10.1109/EMES.2015.7158433
Mongodb1. (n.d.).
Naik, S., Dandagwhal, R. D., Wani, C. N., & Giri, S. K. (2019). A review on various aspects of
auxetic materials. AIP Conference Proceedings, 2105(05), 90–92.
https://doi.org/10.1063/1.5100689
Rama, S., Charan, C., Dasari, T., & Ram, S. (2019). Performance Evaluation of Structured and
Unstructured Data in PIG/HADOOP and MONGO-DB Environments. Retrieved from
https://repository.stcloudstate.edu/msia_etds/79
Singh, S. (2019). Security Analysis of MongoDB. International Journal for Digital Society,
10(4), 1556–1561. https://doi.org/10.20533/ijds.2040.2570.2019.0193