Human nature as the Uber threat to Cybersecurity

There are a lot of expert opinions on what the greatest cybersecurity threat currently is or what the next greatest threat will be to business and technology. And these are important opinions because cybersecurity is constantly evolving. Organisations of all shapes and sizes are fighting the war against cyber attackers. 

As we have seen even in the past year, cyberattacks are becoming more and more sophisticated, which makes it harder to detect and mitigate them. As cyberattacks evolve, so does security technology and the security assessment methodologies used to detect and fight these attacks.

Until the perfect solution is found, and I would like to think there is a belief that it is someday possible, one of the unspoken aspects of fighting cyber-attacks is how do we handle the threat that human nature presents to cybersecurity. 

The latest disclosure of the 2016 data breach for Uber Technologies, Inc., the worldwide ride-hailing company, is an unfortunate example. It has been added to a list of worldwide data breaches which involved the information of millions of people. But it was the decisions and actions of apparently one or two people at Uber, who based on their backgrounds and experience, certainly should’ve known better, that throws a huge monkey wrench into a major, necessary component in the fight against cyber criminals--the trust, cooperation and sharing of information between all parties involved in the battle to protect personal data.

Origin of Uber's data breach

According to news first reported by Bloomberg, and followed up by many other news organisations, in 2016, Uber’s customer data was infiltrated via a private coding site used by Uber software engineers. The perpetrators then obtained login credentials at the coding site and subsequently gained access to data stored on an Amazon Web Services account, used for Uber’s computing transactions. Once inside, the hackers came upon an archive of rider and driver information. 

The hackers got a hold of the personal data of some 57 million customers and drivers, including some 600,000 U.S. driver’s license numbers. Then they asked for a large amount of money to “delete” the data and keep the breach quit. The hackers thought this haul was worth $100,000 and they were right. Uber paid the ransom and made a decision to keep the whole thing hidden from both the people whose data was compromised and, obviously, the rest of the world.

At the time, Uber was involved with regulators from the United States regarding several other claims of privacy violations. One would have to assume that this fact was the driving force behind how the company’s security chief, a former federal prosecutor no less, decided to handle the situation. Obviously, covering it up was the wrong way to do it (as it always seems to be). Willfully ignoring the legal obligation to disclose the breach has drawn a public admission of culpability by new Uber CEO Dara Khosrowshahi, who took over the job of leading Uber after this particular incident occurred. To his credit, Khosrowshahi offered no excuses and has stated Uber will be changing the way it does business. However, a serious reckoning still awaits.

Will such an admission by Uber be enough to restore the trust that’s been lost, especially from cybersecurity regulators and, of course, Uber’s customers? Will local, state and federal politicians point to Uber’s behaviour and use it in tandem with numerous other recent high-profile data breaches to enact even harsher cybersecurity law? Will more stringent laws and penalties now be directed at firms beyond banks, insurance companies, and other financial services organisations? The European Union’s General Data Protection Regulation (GDPR) will go into effect in 2018 affecting any business, including those in the United States and elsewhere, that collects customer data from EU constituents. With a deadline looming, there are businesses all over the world still struggling with deciphering the business impact of GDRP and the institution of internal compliance measures.

Detecting a breach

Although no credit card, social security numbers or trip details were said to be compromised in this particular breach, it appears obvious that Uber did not deploy the appropriate security technology and controls that would be aligned with standard requirements to keep this information safe. For over a decade, those methods included vulnerability scans and penetration tests. Later on, targeted simulated attacks performed by red teams manually were added to the security arsenal. Recently a new method of security testing known as “Breach and Attack” simulation has been introduced.

Vulnerability scans are performed by an application (proprietary or open source) and check for vulnerabilities that are already known to vendors, integrators, security experts, or that have already been exploited by cyber attackers. The application scans for thousands of different security vulnerabilities in networks or host systems, such as software bugs, missing operating system patches, vulnerable services, insecure default configurations, and web application vulnerabilities. This is used to assist automating the security auditing process of an organisation’s IT. Vulnerability scans can automate security auditing and can be a crucial part in the organisation’s IT security, scanning networks and websites for thousands of different security risks. The resulting list of vulnerabilities to patch can be used to remediate them.

Manual penetration testing (or pen-testing) is conducted by human testers (in-house or outsourced to 3rd party) who try to evaluate the security of an organisation’s infrastructure by safely exploiting vulnerabilities. Those vulnerabilities can be present in operating systems, services or applications, as well as faulty configurations or risky end-user behaviour. In other words, the corporate network, applications, devices, and/or people are attacked to check if a hacker would be able to penetrate the organisation. The tests also reveal how deep an attacker could penetrate and how much data could be stolen or exploited.

Targeted simulated attacks (also known as red teaming or attacker simulation) are gaining in popularity – and for good reason. Apart from identifying weakness in the organisation’s security posture, it can also provide valuable insights about your organisation’s capability to identify attacks in progress and remove them from the environment to take a proactive approach. Using multi-step attacks for distinct adversary types and leveraging this knowledge to identify promising combinations of information security controls through simulation optimisation.

Breach & Attack Simulations (BAS) is a new option for targeted attack simulations that use a multi-vector approach. This particular platform for simulating targeted attacks is an effective way to by measuring the organisation’s true preparedness to handle cybersecurity threats effectively at a limited risk. Using an offensive approach and defensive actions, BAS exposes critical vulnerabilities by simulating multi-vector cyberattacks from an attacker’s perspective. The key advantage of BAS technologies is the ability to run simulations on-demand or at regularly scheduled intervals with no business interruption. It immediately alerts IT and business stakeholders about existing gaps in the security posture or to validate that security infrastructure, configuration settings and prevention technologies are operating as intended.

There is no way to guarantee that the employment of any one of these four basic measures would’ve prevented Uber from being penetrated by people hell bent on taking advantage of vulnerabilities, both technological or human in nature. But when it comes to cybersecurity, the cost of wilful negligence can almost always be measured in dollars. If we analyse some of the largest data breaches that organisations experienced in recent years, this breach could cost Uber over $50 Million dollars, besides the ransom of $100K. Finally, it’s important to emphasise that if this breach had occurred under GDPR regulation, Uber could have been fined 4 per cent of its revenues. How many rides would it take to make that up? 

Eyal Wachsman, Co-founder & CEO of Cymulate 

Eyal Wachsman

Eyal Wachsman is the Co-founder & CEO of Cymulate, Ltd., a provider of a SaaS-based, on-demand Breach and Attack platform against the most advanced multi-vector attacks and the latest threats. He has over 18 years of working experience.