Citrix Just Suffered a Massive Data Breach. Here’s How to Protect Your Company from Similar Attacks

On March 8, Citrix Systems Inc., a global technology provider known for its virtualization solutions, disclosed that the company was investigating unauthorized access to its internal network. The company said in a public note that it came to know of the intrusion on March 6, after being notified by the Federal Bureau of Investigation. News of the breach resulted in the immediate loss of hundreds of millions of dollars in shareholder value. In the wake of the incident, Citrix will undoubtedly face costly investigations, remediation work and legal fees.

Early reports have attributed the Citrix breach to state-affiliated cyber criminals linked to Iran. According to reports, the company was attacked first in December 2018 and again last Monday, with six to ten terabytes of data stolen, including confidential internal business documents. The hackers obtained access through a password spray attack, an automated attack pattern in which every conceivable password is attempted until access is obtained. In addition, the hackers used tailored tools to bypass multi-factor authentication for critical applications and services for further unauthorized access to Citrix’s virtual private network (VPN) and single sign-on (SSO) resources.

A combination of factors contributed to the Citrix breach, which, in our opinion, could have been avoided altogether had the company’s network segmentation, data loss prevention (DLP), password policies, and intrusion prevention and detection (IDS/IPS) systems been more effective. Citrix, as a sophisticated multinational technology group, likely had many of these controls in place, but the company appears to not have properly validated the efficacy of these controls, as many businesses fail to. Companies large and small will continue to suffer similar breaches until they adopt a more proactive stance toward the protection of sensitive information.

Business and technology leaders seeking to protect their company should focus on implementing layered defenses, such as DLP, IDS/IPS, password policies and network segmentation, if these controls are not already in place. More mature enterprises should consider undertaking comprehensive infrastructure testing to assess and improve the security of their perimeter or demilitarized zone (DMZ). Layered defenses such as IDS/IPS systems, firewalls and gateways, should be assessed to ensure complete coverage of enterprise and customer-facing applications. Password policies should be scrutinized and revised as necessary to ensure that they would remain effective against a password spray attack. Additionally, because implementing controls alone is insufficient, DLP systems and rules should be regularly reviewed and tested to ensure their continued efficacy. Enterprise cloud solutions, including services provided by companies such as Microsoft (e.g. Office 365) and Amazon (e.g. Amazon Web Services), are also susceptible to password spray attacks and should be hardened using products such as cloud access security brokers (CASB). Wherever possible, companies should leverage SSO, even for internal applications, in order to simplify and centralize password policies and enforce granular authorization.

Most companies would also benefit from an independent assessment of their information security program’s maturity to identify areas of weakness, prioritize cybersecurity spend and chart a course for improvement where necessary. Independent assessment by an expert may identify gaps internal teams have overlooked.

The breach at Citrix underscores the risk that even the largest enterprises face in the cybersecurity domain. Companies large and small should use this breach as a reminder that cybersecurity is not a one-time effort, but rather a continual business risk factor and area of focus, which must be prioritized at the technical, management and board-level.