It seems pretty clear that eBay didn’t properly safeguard their user information.
We can expect that perimeters and firewalls will be penetrated – The Verizon data breach report gives a 90% chance of compromising an account after 10 phishing attempts, and malicious software installed as a result is often undetectable by AV or Network monitoring and penetration tools. Other attacks on applications (SQL injections, stack overflows) often result in an attacker gaining root privileges on machines and then using the compromised server as a beachhead to “land and expand”.
A direct consequence of these facts, is that data has to be protected with the assumption that hackers can gain access to networks and systems.
How is this accomplished? Security controls are required at two levels – within applications (databases, application platforms, customer applications), and at the system level (file systems, volumes) and three critical controls are required at each of these levels; Encryption, access control, and monitoring of data access patterns.
The combined power of the first two controls (encryption and access control) is that they exclude users that are not authorized from accessing data. This greatly reduces attack surfaces available to hackers. Privileged user accounts (Examples are system administrators, network administartors, cloud administrators) are “blinded” to data and others that have access to applications of systems, but without data access privileges are prevented from access. If their accounts are compromised by an attack (and privileged user credentials are a primary hacking/phishing target) they can’t be leveraged to compromise data. Done right, privileged users can still do their work, but never see decrypted information.
The last control (monitoring of access patterns) allows organizations to quickly identify when unusual activity happens with an account, flag it for investigation or lock down, stopping an attack in process. This requires a combination of data access logs and real time or periodic monitor of user activity. A Security Information and Event Management system (SIEM) or Big Data for Security implementation can perform the analytics.
The first set of information gleaned from such an implementation is the easiest – flagging accounts that should not have access to protected information are trying to get to the data. This immediately highlights that an attack of some sort may be underway so that it can be investigated. Harder to do is profiles of access patterns for accounts that are authorized to access the data. The goal is to identify accounts whose activity is unusual based on the way they access data. In the IT Monitoring sector, simple implementations of this are called “baselining” and are created by collecting data over time about activity, and using that to build a time-based profile of what should be considered normal for a specific item. In the case of data access monitoring, an account that normally only accesses light amounts of information during the week, and is suddenly harvesting large volumes of information at 3AM on a Sunday would be immediately identified for investigation.
These techniques can be used to quickly identify and shut down an attack in process accessing data with an authorized account whose credentials have been compromised.
If all these protections are in place, it’s significantly harder to steal data, and much quicker to shut down attacks. From the amount and type of data breached, it’s clear that this full set of protections were not in place at eBay.