Breach Anecdotes 1

Summary:

The document outlines a cybersecurity breach incident involving CUSTOMER B at Hewlett-Packard (HP). Within 48 hours of notification, HP deployed a team with experts from South Korea, Hong Kong, and the USA to investigate and resolve the breach in Asia. The team rapidly installed the ArcSight SIEM platform, collecting data within 5 hours, identifying 25 serious active security events across varying severity levels over three days. Key findings included multiple malware infections (102), JBoss exploits (147), and SQL injection vulnerabilities (181,200). Recommendations from HP addressed various threats: blocking malicious communications on infected hosts, removing compromised servers, rebuilding networks with AV and updated configurations, redeveloping web applications to secure SQL code, and considering legal action against RSA for data theft.

Details:

The document discusses the breach case study of CUSTOMER B by HP Enterprise Security Solutions. The breach occurred in Asia and within 48 hours of notification, HP deployed a team including top consultants from South Korea, Hong Kong, and the USA to assist. The team swiftly installed and configured the ArcSight SIEM platform, enabling data collection within 5 hours. Over a 72-hour period, they identified 25 serious active security events, with breakdowns showing Low (3), Catastrophic (3), Serious (11), Critical (12) in terms of severity. The case involved multiple malware infections and exploits such as JBoss Exploits and Active SQL Injection, totaling 102 Malware infections, 147 CVE JBoss Exploits, and 181, 200 instances of the SQL injection vulnerability. The provided text outlines various security incidents and recommended actions taken by Hewlett-Packard (HP) to address them. Here's a summary of each case mentioned: 1. **Malware Communication on Hosts**: HP detected numerous hosts communicating with known malware sites. They recommended blocking malicious communications, removing infected hosts from the network, rebuilding the network with secure configurations including antivirus software (AV), and monitoring for suspicious activities. 2. **JBoss Server Vulnerability**: A server running a 4-year-old version of JBoss was found to have a critical vulnerability allowing remote execution of Unix commands. The recommendation was to immediately remove the server, patch it, and redeploy with secure configurations. 3. **Compromised Host in DMZ**: A server hosting known malware was identified as compromised. The recommended action was to remove the client from the network, rebuild the server, and update antivirus software. 4. **SQL Injection Attacks on Web Application**: Active SQL injections were found exploiting a vulnerability in "DBBridge.aspx," leading to potential data disclosure. The recommendation was to redevelop the web application by keeping SQL code on the server instead of allowing client editing of transactions. 5. **RSA Breach and Data Theft**: A finance person received an email with a .xls file containing malware, which exploited an Adobe Flash vulnerability. HP responded by performing an NMAP scan of the network, revealing that Poison Ivy malware was installed to collect sensitive information. The recommendation here is not explicitly stated but likely involves endpoint security measures and possibly legal action against RSA for data breach. In summary, these cases highlight various types of cyber threats—malware communication, server vulnerabilities, SQL injection attacks, and data breaches—and the corresponding recommendations from HP to address them.