$2k to avoid being another Optus

by Security Centric, on 30/09/2022 11:27:32 AM

The Optus PII breach has been the subject of many conversations the past week or so - at the technical level all the way through to advising boards on what is relevant to their organisation vs what is jumping on the topical news bandwagon. 

A common thread has been repeated so many times that I thought I would share the insights. Based on knowledge to hand, reading between the carefully curated PR speak, is the breach could have been prevented for under a couple of thousand per month. Let me explain.

  • A service needed to be published to the internet for a specific external organisation
  • Human error meant the service was exposed to the entire internet, rather than the specific organisation
  • As malicious parties like to do, they constantly scan the internet for low hanging fruit, and found Optus' development service

There's more to be said of course, like why was production data in a development system, and how did a national telco with a cyber security practice ignore so many basic principles, but that will come out in due course.

What is most relevant to the mid market, is this could have been prevented with a basic service that costs (at least at SC) under 2k per month.

What we're talking about is a fairly standard perimeter vulnerability scanning service, linked up with customer change control and our 24x7 SOC. Here's how it works:

  • We obtain an inventory of any internet-connected technology - be it firewalls, AWS elastic IPs, owned public address ranges, etc
  • We baseline the current approved state of internet-published services
  • If a new service is being published, the SC SOC is informed as part of the change management process (you do have change management right?)
  • If a new service is published that may affect security posture, like the Optus API, the SOC responds to that like any other incident
  • The human error is corrected and the API is limited to only the originally-intended specific organisation
  • The internet-scanning malicious party finds nothing and keeps on walking scanning

We've seen similar user error with remote desktop being temporarily published to assist vendors with troubleshooting, and forgetting to remove the rule.

The fundamental driver is human error. Humans are great at many things, but relying on being careful is not a sufficient control. This is why it is someone's job at the end of a surgery to count the instruments, even though a very skilled and highly paid professional has perfomed surgery and was careful. Another example is in aircraft, where big red tags are used so it's obvious from hundreds of metres away that you've forgotten something. Optus could easily have had a red tag pop up as soon as the API was published, rather than when an opportunistic threat actor discovered it.


Take away:

Human error is going to happen - spend a trivial amount to make sure you don't leave an instrument in the patient. 


Reach out if you would like to find out more: 

Schedule a Call   Contact me

Topics:Red TeamingRisk AssessmentManaged Services


Finally, an actionable blog

The purpose of this blog is to make available the real-world lessons, experience, observations and mistakes that are part of the daily life of a group of cyber security professionals.

Read about:

  • What mistakes organisations are making (anonymously of course!)
  • What effective actions are available to quickly and economically achieve effective protection (without buying new kit)
  • Trends we're seeing, via our incident response and forensic investigation capabilities
  • And sometimes, just frustrations about what is wrong with cyber :|

Subscribe to Updates