Light Dark
October 9, 2024 By Sue Poremba 4 min read
Risk Management

When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.

October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad enough.)

The ultimate clickbait victim

A construction company suffered significant theft and transfer of money from the organization to a bad actor. Needless to say, the boss wasn’t happy, and since it involved a financial loss, it was brought to the attention of federal authorities.

Upon review of the incident details, it was discovered that a user had a habit of clicking on links in emails — not just any links, but all of them! This user failed everything taught in the awareness training and repeatedly fell victim to phishing schemes. Even more concerning, this was known to management and ownership.

Further investigation uncovered that during the security incident and subsequent network compromise, official company forms were stolen and used against the organization. The threat actor used these official forms to move money and alter vendor payment information, as well as employee payroll direct deposits.

But perhaps the scariest part of the story is that the user, known to click on everything imaginable, was still allowed to operate in such an influential and high-profile position.

Public WiFi shares too much information

A senior executive decided to work from a coffee shop over a weekend, connecting to the public WiFi and then accessing their company’s servers. This person worked in sales, and due to their senior position, they had admin access to customer records, sensitive data and customer financial details.

What seemed like a little stint of out-of-office work turned into the perfect scenario for a hacker to launch a man-in-the-middle attack and begin to siphon sensitive data from the connection between this person’s computer and the company servers. By interacting with these sensitive files, they unknowingly exposed them to the malicious actor.

Luckily, the security team caught this mishap before any major damage was caused. If this had gone wrong, the customer’s banking data could have been breached. It really shows how easy it can be to become a victim of an attack and, even more importantly, highlights how essential it is to protect your data.

Guilty of malicious downloading

A law firm suffered a ransomware attack. It originated when someone was searching for a court case and downloaded a PDF from one of the first links they came across.

The law firm called their insurance company, which connected them to a breach response team. That team had them turn off all of the computers in the environment. The entire firm was shut down for over two weeks while the response team cloned drives, deployed them in sandbox environments and tried to identify the initial point of entry. Once they were reasonably confident that they knew where the entrance point was, it took another two weeks to gradually reimage and bring back online the rest of the computers.

To prevent future ransomware attacks, the firm instituted regular cybersecurity training, added new monitoring tools and tightened up the sites (e.g., via trusted DNS) that could be accessed by their employees.

Rogue blog

An online retailer was compromised when an admin installed a WordPress blog on their e-commerce web server. While the action was well-intended, it was poorly executed. The CMS was not incorporated into routine maintenance or vulnerability scanning, so it remained unpatched, including a critical vulnerability in the password reset process. Poor coding habits meant that a webshell uploaded via the CMS admin portal was quickly able to discover hardcoded database credentials.

A second well-intended but poorly executed step was when the person who first discovered the breach tried to purge the webshell, scrubbing a lot of forensic artifacts in the process and significantly impeding the subsequent investigation.

The case of the missing laptop

A medical practice administrator had work to do over a holiday weekend, so they took their work laptop home. This person was a long-standing employee, well-liked and had great employee reviews — the type of individual any organization would trust to be a responsible caretaker of any sensitive data in their possession.

The particular work laptop the employee took home contained patient information subject to HIPAA protections, as well as financial data that could very quickly do the organization damage if it fell into the wrong hands.

On the first workday after the holiday weekend, the medical practice received a phone call. A family member called to inform them that the administrator had died, killed in an auto accident.

Workers at the medical practice were appropriately distraught over losing the coworker they had known for years and offered their condolences to the family and each other. At the same time, there was concern about the laptop and the sensitive information it held. The family was informed about the need to return the laptop to the medical facility, but it could not be found.

The medical practice was now faced with the possibility of having to report the situation as a data breach, but still wanted to make sure the data would remain secure and private. The organization used a Managed Service Provider (MSP), which implemented security tools across the medical practice’s devices, including encryption and remote data security tools, like revocation of access, remote data wiping and other security and reporting tools.

The MSP quickly performed a check of the computer and discovered that it was indeed connected and online. By deploying another anti-theft tool, it was possible to activate the laptop’s webcam to see where the laptop was, and who was using it.

The image revealed none other than the deceased administrator — very much alive and holed up in an RV in the desert. Apparently, they were watching YouTube videos with a new dirt bike resting against the wall. The police were contacted, and further traces located the rogue employee’s position. The authorities discovered the administrator with the stolen laptop, $8,000 in cash, and soon learned that the RV was stolen as well.

Encryption would not have been enough on its own (since the administrator had the credentials). What was important was the ability to remotely remove access and remotely wipe sensitive data from a device altogether.

Stay safe from cyber horror

There’s one thing these cybersecurity horror stories make clear: You can never truly know when or how a breach will occur. But when organizations use a combination of cybersecurity tools, education and planning ahead, the results of a cyberattack or breach don’t have to be downright terrifying.

 |  | 
Sue Poremba

More from Risk Management
October 4, 2024

Are we getting better at quantifying risk management?

4 min read - As cyber threats grow more sophisticated and pervasive, the need for effective risk management has never been greater. The challenge lies not only in defining risk mitigation strategy but also in quantifying risk in ways that resonate with business leaders. The ability to translate complex technical risks into understandable and actionable business terms has become a crucial component of securing the necessary resources for cybersecurity programs.What approach do companies use today for cyber risk quantification? And how has cyber risk…

October 2, 2024

Cybersecurity Awareness Month: Cybersecurity awareness for developers

3 min read - It's the 21st annual Cybersecurity Awareness Month, and we’re covering many different angles to help organizations manage their cybersecurity challenges. In this mini-series of articles, we’re focusing on specific job roles outside of cybersecurity and how their teams approach security.For developers, cybersecurity has historically been a love-hate issue. The common school of thought is that coders are frustrated with having to tailor their work to fit within cybersecurity rules. However, many companies are embracing a security-first approach, and some developers…

October 1, 2024

Spooky action: Phantom domains create hijackable hyperlinks

4 min read - According to a recent paper published at the 2024 Web Conference, so-called "phantom domains" make it possible for malicious actors to hijack hyperlinks and exploit users' trust in familiar websites.The research defines phantom domains as active links to dot-com domains that have never been registered.Here's what enterprises need to know about how phantom domains emerge, the potential risks they represent and what they can do to disrupt phantom attacks. There are two common types of phantom domains: Errors and placeholders.Domain errorsErrors…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature