Six key takeaways from the Optus data breach

Image created by DALL-E

About a week shy of the Cybersecurity Awareness Month, Optus — Australia’s second largest telco, reported that it had become a victim of a cyberattack, which may have compromised its customers’ names, dates of birth, phone numbers, email addresses, as well as postal addresses, and ID document numbers, like driver’s licence or passport numbers.

The company, however, maintained that payment details and passwords remained secure. Kelly Bayer Rosmarin, Chief Executive Officer of Optus, announced that they have since taken action to block the attack upon discovery of the incident.

Following the data breach, what lessons can be learned going forward? As cyberattacks become more sophisticated, what can enterprises do to prevent a similar fate?

Frontier Enterprise reached out to several cybersecurity experts to gauge their thoughts on the matter, as well as explore the tools and strategies that can be leveraged against current and emerging cyberthreats.

Takeaway #1: API security played a role

With most cybersecurity experts believing that the Optus data breach was caused by weak API security, calls have been reinforced to fortify defences against the top security threat of 2022.

“While the specific exploit(s) of the recent Optus cyberattack are still unconfirmed, publicly accessible APIs may be a contributing factor. If confirmed, it wouldn’t be surprising, given Gartner’s prediction that APIs will become the most common attack vector in 2022,” said Troy Leliard, APAC Solution Architect, Noname Security.

In a commissioned research titled “The 2022 API Security Trends Report,” Noname found that nearly half of the organisations in the survey had low confidence in the completeness of their API inventory, and that 41% of the respondents encountered an API security incident in the last 12 months.

Top among the API security-related issues cited were:

  • Poor API logging practices
  • Problems with API authentication
  • API misconfiguration

What’s more concerning, Leliard added, was the apparent disconnect between real-world scenarios, and organisational attitudes towards API security.

“Additional research found that the level of misplaced confidence around API security is disproportionally high, in comparison to the number and severity of API-related breaches. This points to the need and urgency for further education by Security, AppSec and development teams around the realities of API security, and is hopefully something that comes out through broader government cyber education initiatives,” he said.

Curtis Simpson, Chief Information Security Officer, Armis. Image courtesy of Armis.

Meanwhile, Curtis Simpson, CISO at Armis, warned of a dangerous precedent involving API security.

“API exploitation will be commonplace going forward with this actually being a simpler example of exploitation potential, while in parallel, also being a clear example of why traditional edge-based API security programmes need to be revisited,” he said.

According to Simpson, API transactions are already outpacing the number of user transactions in modern online platforms, since APIs are the entry point into the modern application and the data it processes.

“Exposures associated with APIs range from configuration-based to logic-based vulnerabilities that can be exploited to compromise platforms, networks, users, and data. Traditional edge security and application security testing capabilities are not identifying nor facilitating the remediation or protection against the exploitation of such exposures at scale, across cloud environments that continue to transform alongside business operations,” the CISO explained.

Some of the capabilities that must be adopted in order to safeguard modern web services include:

  • Real-time logic-based protections
  • API exposure analysis
  • Prioritisation
  • Remediation through development stacks 

“Digital business is done over APIs. Our security programs and technologies must continue to evolve around where our businesses live and operate,” Simpson stressed.

Takeaway #2: Asset visibility is essential

It is believed that the personal data of up to 10 million customers may have been stolen, with the alleged hacker (or hackers) demanding US$1 million in cryptocurrency, or else the data of 10,000 Optus customers will be leaked per day of non-payment.

In a sudden 180-degree turn, the alleged malicious actor — codenamed “optusdata” — later apologised for leaking the data of 10,200 Optus customers, and said the only copy of the stolen data was destroyed due to “too many eyes.” The alleged hacker also claimed that no ransom was paid.

To prevent a similar occurrence, enterprises must have continuous visibility and insight into the behaviour of all their assets.

“Of particular importance are unmanaged assets with the potential to disrupt critical operations and/or client services. This includes IoT devices, OT infrastructure, and cellular IoT, amongst others,” said Armis’ Curtis Simpson.

“Maintaining safe service availability in such an eclectic and hybrid ecosystem requires a foundational and continuous understanding of the technology in the business landscape. All downstream proactive and reactive risk and threat management strategies must be executed per this continuously evolving view into the business and attack surfaces,” he added.

Takeaway #3: Have a post-breach plan

Edwin Koh, Regional Director, SEA, Edgio. Image courtesy of Edgio.

In the event that a data breach has already taken place, how can an organisation minimise the damage towards a quick recovery? This is where the existence of both a business continuity plan and an incident response plan comes in handy, noted Edwin Koh, Regional Director, SEA, Edgio.

“You must act quickly when it happens. Re-establish your company as a reliable partner that takes its security posture seriously. Think about your customers’ point of view — would you do business with a company that doesn’t take all steps to secure your data? Trust between two parties is the glue that keeps (businesses) moving forward, so take time to build it together,” he continued.

The cybersecurity expert also recommended the following measures after a cyberattack:

  • Conduct a penetration test to identify parts of your application to improve.
  • Perform a security audit, scoped by time and resources.
  • Put full security plans in place and document them.
  • Let customers understand what corrective steps you have taken.

In the case of Optus, an incident response plan seems to be in place, since CEO Kelly Bayer Rosmarin was able to provide initial details and a statement within hours, observed Phillip Ivancic, APAC Head of Solutions Strategy, Synopsys.

“The early reports indicate that the breach was picked up as a part of their continuous assessment framework, (which is) another example of important and multi-layered defences,” he said.

“The Optus breach reinforces the complexity of cybersecurity, as well as the need for organisations to adopt continuous vigilance and assessment,” Ivancic added.

Takeaway #4: Implement zero trust

The zero-trust concept has been around for some time now. While there are organisations that are optimistic about the framework, most are still in the dark on where and how to begin.

Cheah Wai Kit, Senior Director, Product Management and Security Practice, APAC, Lumen Technologies. Image courtesy of Lumen Technologies.

As businesses’ IT infrastructure in the next five years will depend on increased regulation, remote-first workforces, and distributed workloads, zero-trust architecture is well-positioned to solve many of the challenges posed by this paradigm shift.

Cheah Wai Kit, Senior Director, Product Management and Security Practice, APAC, Lumen Technologies, rightly believes that zero-trust adoption will shield businesses from a lot of untoward incidents.

“Cyberattacks on businesses continue to rise in severity and prevalence. They come in many forms and shapes — including malware, ransomware, insider threats, exploitation of critical vulnerabilities carried out by script kiddies, hacktivists, and state-sponsored threat actors. Cybersecurity breaches cost organisations billions of dollars in lost revenue and loss of productivity every year, with loss of reputation and goodwill causing long-term damage to their businesses,” Cheah noted.

“As part of this (zero-trust) approach, an organisation may implement additional measures, such as multi-factor authentication, user behaviour analysis, continuous validation, security, awareness training, and more. Proactive security is paramount in the digital-first era, (as it) preemptively finds, identifies, and addresses inherent security vulnerabilities within an organisation’s IT system before bad actors can exploit it,” he added.

Takeaway #5: Eliminate weaknesses

Having detected vulnerabilities in the IT infrastructure as part of proactive security measures, the next step is to eventually remove them, emphasised Edgio’s Edwin Koh.

“Keep improving settings on your web application firewall. We suggest using a Dual WAF mode to analyse rule changes against production traffic without disabling the production WAF. This capability enables faster, more accurate tests and deployments of security rules with zero WAF downtime,” he said.

Koh also cautioned about on-premises security solutions, as opposed to those based on content delivery networks or cloud application firewalls.

“Security is critical, along with performance. Web application and API protection built on a global CDN enable your security team to inspect and filter every app request without slowing down your systems. From a threat perspective, additional security capabilities such as DDoS protection, fraud, and bot management can also be integrated into cloud-based security, keeping malicious traffic far from your critical web infrastructure,” he advised.

Takeaway #6: Actionable intelligence is vital

The magnitude of the Optus data breach may take some time to uncover, yet even now, valuable insight can already be gathered as preparation for future attacks.

Neville Burdan, Director, Security, Asia Pacific, DXC Technology. Image courtesy of DXC Technology.

According to Koh, creating actionable intelligence is crucial amid a threat landscape that grows wider and wider each day.

“Integrate SIEM to capture real-time log delivery, analyse data, and determine patterns to detect anomalies. We suggest taking time to build a custom dashboard that enables analytics and configure alerting — and to take action quickly when a threat is detected,” he said.

At present, there is an emerging trend of attackers exploiting virtual machines to significantly boost their attack capabilities and launch DDoS attacks, given the global increase in cloud adoption, observed Lumen Technologies’ Cheah Wai Kit.

“In such scenarios, cybercriminals mask their acquisition and control of cloud-based services through compromised VMs/hosts or anonymising services. In fact, DDoS attacks are getting shorter with 72% of attacks under 30 minutes in duration,” he said.

Neville Burdan, Director, Security, Asia Pacific at DXC Technology, identified additional measures that enterprises should do to avoid being caught off guard with unknown variables.

  • Identify data residency and exposure of data through systems and processes.
  • Understand where confidential information is hosted in the server, who has access, and when was it last reviewed for secure management. Remove permissions that are no longer relevant.
  • Learn how data is consumed by employees and third parties such as partners or vendors. Third-party vendors should only have restricted access to confidential documents or access information in a secured, encrypted space.
  • Validate change management controls around internet-facing infrastructure for all test scenarios.
  • For companies with critical infrastructure administered through operational technologies, specific network protections are required to be in place. Companies should also reduce system access to only known and identifiable users.
  • Keep up with patching and updating.

“There are no shortcuts when it comes to cybersecurity,” remarked Burdan. “Should an incident occur, companies must be able to detect, stop and respond to threats and processes to protect data exfiltration in the shortest time possible.”