Recent Red Cross breach exposed sensitive data of more than 500,000 vulnerable individuals.
The breach occurred in November 2021 and discovered in January 2022. Analysis published by ICRC (International Committee of the Red Cross) provides sobering account of the challenges businesses are facing around data protection and breach detection.
According to ICRC, patching of the Zoho ManageEngine ADSelfService Plus critical vulnerability CVE-2021-40539 took place some 2 months after Zoho released a patch to address this vulnerability. The breach was then detected 70 days after it has occurred.
Looking at the time it took to patch this critical vulnerability, and then the time to detect the breach, one might be tempted to point fingers. ICRC however highlighted their 70 days detection time as being above the industry average for data breach detection. They were referring to a report published by IBM in 2021 (Cost of Data Breach) that states an average of 212 days from breach event to detection.
Will this above average performance be of any comfort to the affected parties?
Two takeaways for those who can influence:
- Patch deployment must be prioritized based on risk impact, taking into account, in addition to the CVE vulnerability score, further contextual data. For instance:
- Resource usage pattern.
- Direct exposure to Internet.
- Downstream resources.
- Account privileges used by the affected resource.
- Detection took place when ICRC rolled out a more sophisticated Endpoint Detection and Response (EDR) solution to replace their existing malware protection agent. This highlights the need for Information Security professionals to ensure they don’t become complacent with the controls they have put in place. The tools and technics used by attackers are evolving over time, and so should be the technology the business is using to protect, detect and respond to new challenges.
Let’s be careful out there!