The recent Facebook outage affected 3.5 billion users and a huge number of businesses. No biggie, stuff happens, release the mea culpa to the public and move on … it’s business as usual. But hold the front door — the company has a much bigger problem.
Allow me to turn on the wayback machine for just a minute or two. In 2013, Edward Snowden exfiltrated massive amounts of classified data from the National Security Agency. The resulting data exposure was catastrophic on multiple levels — this is well known, and in many respects still ongoing.
Now, let’s jump to the present. During recent testimony on Capitol Hill, a Facebook whistleblower, Frances Haugen, claims to possess tens of thousands of documents related to the underbelly of Facebook practices and alleges the company is aware of the harms it causes.
So, what’s the correlation? We often talk about the human element being the weakest link in the technology food chain. One of the ways we combat that weakness is through security controls. Whether they be physical security or technical security controls, they must exist at all levels of the organization.
Here’s the rub. I’m straining my brain to understand how a Facebook product manager would be able exfiltrate volumes of data without being detected or blocked by data loss prevention (DLP) tools. DLP isn’t new to the game. There are many, very capable DLP products on the market that would have (or should have) sounded the alarm for this type of activity. I promise you, a company with the resources, size, and complexity of Facebook most certainly has DLP as part of its network infrastructure.
Truth be told, even DLP is somewhat old-school. Data loss prevention tools are table stakes for any company dealing with sensitive data. Data security is built upon layers of controls, with DLP being just one of them. Another primary method for detection of malicious activity is the use of user and entity behavior analytics (UEBA).
The use of UEBA allows for detection of unusual user or system activity. For example, if a user is logged in to the network from multiple locations, geographically separated, that may be a red flag. If a user accesses files that are out of the norm, or launches a completely new application, that may also be cause for concern. And heaven forbid something as critical as DNS entries or BGP routes are changed without going through the proper change control process (that’s a hair-on-fire day).
The reality is, the insider threat is here to stay, whether intentional or unintentional. Detection and prevention tools must be deployed to have a fighting chance to defend against bad actors.
All of this takes me back to my brain strain. I must ask: How in the world did Ms. Haugen get this data? When did she obtain it? Where in the world (literally) was she? Was she assisted by someone with more privileged access than her own? Is data still being siphoned today? Were there any “gifts” left behind on the Facebook network, only to become a surprise sometime in the future?
I’m not accusing anyone of wrongdoing. However, as an IT security practitioner, I would be very concerned about any breadcrumbs that may have been left behind, in addition to having more than one person being involved in this breach of information.
Companies have suffered from the challenges of the rapid remote workforce evolution. Those that were well prepared with layered protection and controls prior to the pandemic have fared much better than those that were not. In this case, it’s apparent Facebook wasn’t “fully immunized,” from an IT security perspective. My sincere hope is that many lessons will be learned from this event.
While the Facebook outage was a major inconvenience, the impact of leaked business operations documents far outweighs being down for a few hours. Reputational damage is very hard to recover from — even for an 800-pound gorilla. All I can say is, someone has a lot of ‘splaining to do.
Source – Bleepingcomputer.com