BEWARE! The gates to the castle walls are still managed by humans and are therefore vulnerable. Every organization needs strong security policies and must regularly train employees on sound security practices.
The recent Uber hack (link to GitGuardian article) has revealed that the size of the company or the amount it spends on cybersecurity tools is meaningless when policies fail. Unfortunately, humans are often the weak link in the chain, which is why sound cybersecurity policies and regular employee training is essential to data protection.
A few days ago, a hacker pierced Uber’s security defenses to gain near total control of Uber’s systems. It appears that the hacker targeted an Uber employee and spammed multi-factor authentication (MFA) requests for over an hour until the user acquiesced and agreed to the authorization. Once inside, the hacker gained access to the company VPN and network and located highly privileged credentials on a PowerShell script in network file shares. These credentials were used to access Uber’s Privileged Access Management (PAM) system, which in turn gave access to Uber’s production systems, corporate EDR (endpoint detection and response) console, and Uber’s Slack management interface. The hacker also provided screenshots showing administrative access to Uber’s cloud infrastructure on Amazon Web Services (AWS) and Google Cloud (GCP).
Those facts show several modern security tools being in service, including a VPN, PAM, EDR, and MFA. The company was also utilizing top-tier security tools built into public cloud services. These services come highly recommended by security professionals, so why didn’t they protect Uber?
Quite simply, security procedures were bypassed by employees. Uber surely has policies against the storage of credentials on shared systems and reporting suspicious activity to IT. Employees failed to follow these policies and inadvertently gave away the keys to the kingdom. This is the third breach of Uber’s systems, the others in 2014 and 2016, demonstrating a history of poor cybersecurity practices.
What’s the key takeaway?
Strong cybersecurity tools will only take you so far. Employees are essential to data protection. Companies must implement clear data protection policies and regularly train employees on proper security protocols.
Reach out if you need help with any of this.