Rarely does a week go by without a government agency or large company announcing a data breach.
A data breach can mean a lot of things. In essence, it means that data was accessed by individuals who should not have been able to access it. It also means that account protection of the data failed. The data can represent personal information, such as health records, email conversations, online transactions and banking records, or corporate data, which is most often customer information or hosted applications.
What should you do if a provider notifies you that it suffered a data breach? How can you limit the impact to your company? What do you do when you suspect your company has fallen victim to a breach? Don’t assume it can’t happen to you.
Public Image Issues
Some companies try to downplay or even bluntly deny security incidents — sometimes out of ignorance but more often because they are unable to grasp the full scope and impact of the incident. Needless to say, this approach can backfire very quickly.
A data breach can be catastrophic for a company. Poor communication with customers can tarnish the company’s reputation and influence clients to quickly shift their business to competitors. When you handle personal or corporate data, there are usually regulatory requirements to deal with. Noncompliant organizations that fail to implement adequate protection measures face various sanctions and hefty fines.
Sluggish Detection Time
Data breaches are seldom detected immediately. Months or even years can go by before a company discovers that an attacker had continuous access to its systems. According to Mandiant Consulting’s “M-Trends 2016” report, the median amount of time it took organizations to detect a compromise in 2015 was 146 days.
Half of the compromises were detected internally, meaning that for the other half the companies were informed by outsiders. The motivations of an individual reporter can seriously influence communication and the breached company’s level of control over what exactly gets communicated, putting these organizations in a precarious position.
Why do companies struggle to detect data breaches? For one thing, attackers are always evolving, learning new techniques and acquiring innovative tools that avoid detection. Additionally, many companies lack the security maturity to fully understand what occurs on their networks.
Common Causes of a Data Breach
What causes a data breach? Many events can trigger a breach, with some more likely to happen than others, depending on the type of business.
Payment card skimmers are becoming more innovative, using new technologies, such as Bluetooth and mobile devices, to collect card stripe data. Whereas most data breaches consist of attackers gaining access to large numbers of data with one operation, skimming often involves gathering data piece by piece. However, the gathering process can be automated.
Physical Theft or Loss
Loss or theft of material is a threat both for companies and end users. Mobile devices, laptops and data carriers contain a wealth of personal and corporate information. This makes these devices the preferred physical attack vector of many cybercriminals.
User Error and Weak User Controls
Don’t be surprised: User error is often the main cause of a data breach. This may be the result of an incorrectly addressed email, the storage of documents and data on a publicly accessible resource, or failure to dispose of data — most often medical data — correctly.
Weak security controls also cause data breaches. Good controls limit the impact of user errors, and in some cases, merely having one basic security control could have prevented a user-introduced data breach. Typical security controls that could limit the likelihood of a data breach include security policies (i.e., strong password and data loss prevention policies), proper access permissions, strong authentication methods, and combining vulnerability management with patch and configuration management.
Attacks Against External Applications
It should not come as a shock that cybercriminals commonly launch attacks against external applications, both local apps and supplier-provided solutions, to gain unlawful access to data. These attacks are successful because of a lack of log and intrusion monitoring and insufficient vulnerability and authentication management.
This also includes point-of-sale (POS) intrusions. A POS attack is one of the quickest and easiest ways for a cybercriminal to gain revenue without ever having to set a foot on the premises. POS malware scrapes devices for credit card data and sends it back to the attacker to be sold or reused.
One of the most underestimated sources of a data breach is the insider threat. The threat can consist of intentional or negligent misuse of privileges. Insider threats are very hard to catch. Most often, in fact, companies only find out about such an attack once the intruder has left the company.
Espionage or Crimeware
Espionage or crimeware attacks are the data breaches that most often make news headlines. It’s very difficult, if not impossible, to attribute these breaches. They are usually carried out by skilled and motivated groups of attackers. Like the threats described above, it takes a lot of maturity, effort and energy to detect and understand the full scope of a data breach caused by espionage or crimeware.
Preventing Data Breaches
So now that we’ve seen that data breaches can be caused by different sources, how can companies implement enough account protection to thwart these types of attacks?
Unfortunately there isn’t a single answer to this question. Good protection requires thoughtful consideration of all attack vectors, and there’s no shame in seeking help. The SANS Institute made available a set of critical security controls to protect critical assets, infrastructure and information and strengthen your organization’s defensive posture. These controls are updated regularly based on changing threats. You won’t be able to implement all controls at once, but that’s not a problem. Prioritize your organization’s crown jewels and focus around them, implementing one control at a time.
The first step to account security and preventing unwanted access is using strong passwords. This may sound obvious, but leaked credentials repeatedly show that many users are still using weak passwords.
A strong password is one that is easy enough for you to use and difficult enough to keep cybercriminals out. A strong password is relatively long and includes a combination of numbers, symbols and a healthy mix of lower and uppercase letters. It should not contain a dictionary word or rely on obvious substitutions, such as replacing O with 0, for example.
Ideally, account access is never granted based only on username and password credentials. The use of two-factor authentication (2FA) is strongly advised. In a corporate environment, accounts should include a lock-out policy, meaning that after repeated failed logins, administrators are notified and the account is temporarily disabled. It goes without saying that a password expiration policy is mandatory.
Data Carrier Security
The use of mobile devices has increased the risk of physical theft or loss. Backups are a no-brainer when it comes to recovery in the case of loss. But if someone else gains access to your device, your data is out there for the taking.
Unfortunately, theft and loss are inevitable. Encryption is your best shot against this type of risk. Most modern operating systems support either full-disk encryption, volume encryption or file-per-file encryption. Encryption makes it much harder for someone else to read your data, even if they get a hold of the physical carrier. Obviously, don’t store the key to unlock the encryption on or near the same physical device.
Everything starts with being aware of the problem. Make sure you regularly train users to know what phishing scams looks like and how to recognize red flags. After all, phishing is still the preferred method of attack for initial access. Management buy-in is key, both for running the campaigns and implementing further controls based on the outcome of those efforts. If you can, start at the top of the company and immediately include C-level executives in all your awareness campaigns and training.
It can be beneficial to establish incentives for your users to report issues. Corporate users are your first sensors when it comes to situational awareness. Encourage them to notify you of unusual activity. Why not gamify a training?
If you need inspiration when it comes to running awareness campaigns, look no further than National Cyber Security Awareness Month (NCSAM). NCSAM is an advocacy campaign that promotes cybersecurity education and offers avenues to spread awareness about online safety throughout the U.S.
Vulnerability and Patch Management
Closing the most obvious doors for attack — exposed vulnerable applications — goes a long way toward preventing a data breach. Make sure you have a proper vulnerability and patch management programs inside your organization. If possible, you should also implement some form of centralized configuration management as well.
Security Policies and Controls
Good security governance includes tested and validated security policies and controls. Review them regularly and make sure they are enforced — not only on desktops inside your environment, but also on mobile devices. Don’t forget about remote devices that are used to connect to the network via a virtual private network (VPN).
The Basics of Incident Response
When a data breach occurs, it’s important to react quickly and according to a well–tested standard procedure. Not doing so can cost you or your company a lot of money.
According to a recent IBM study on the global impact of data breaches, the average total cost of a breach is around $4 million, with a price tag of well over $150 per stolen account.
A solid incident response (IR) strategy is essential for dealing with security incidents. According to the IBM study, a dedicated IR team can reduce the cost of a data breach per account by $16. Clearly, investment in IR pays off in the long run.
Most incident response plans follow a similar approach:
- Preparation: As described above, some key steps to prepare for an incident include implementing account protection solutions, ensuring data carrier security, spreading awareness, managing vulnerabilities and patches, and establishing strict security policies and controls.
- Identification: Verify that the claim of a breach and its reporter is valid. Attackers sometimes dump fake usernames and password hashes on public sites, claiming to have accessed a corporate network. If you identify the dumped data as fake, issue an alert immediately. Don’t forget to back up your claims.
- Containment: Evaluate what information was breached as well as the root cause, impact and the extent of the breach. Determine who needs to be notified immediately according to regulatory requirements. Notifications can and probably will need the cooperation of your management, legal and communication teams. Just shutting down the system or application in question can destroy crucial evidence. The key to do as little as possible to avoid changing the state of the system. Be prudent — even opening a simple text file can alter evidence.
- Eradication: At this point, the root cause of the data breach should have been found and dealt with.
- Recovery: Make sure the vulnerability or issue that led to the data breach has been solved. Run on high alert and monitor what’s happening on the network, looking for signs of unusual behavior.
- Lessons Learned: Focus on preventing the breach from happening again by reviewing the different procedures and practices.
Next to the more general IR actions, organizations should take specific steps to protect account holders. This information is typically cited when notifying customers of a data breach.
The most obvious advice is to reset the password. Don’t reuse parts of previous passwords. Use a password manager to store all your passwords. Most password managers have a feature to generate random, complex passwords.
Many services allow users to generate access codes to connect to their accounts through mobile devices. In many cases, resetting the password does not revoke these access codes. This means that even after a password reset, attackers can still access your account. How? If an attacker has the foresight to add the mobile device as an allowed device, he or she can still snoop, regardless of the account’s password.
It’s also important to stay vigilant when using password reset questions. If you set “What is my home town?” as a password reset question and list your hometown on your social media profiles, you make it easy for attackers to access your account.
Review Connected Devices
In addition to resetting the password for your account, be sure to review the list of devices that are allowed to connect to your account. Double-check that these are only your approved devices. The same goes for connected applications.
Some services send you a confirmation email after a request for a password change. Attackers are aware of this. Be vigilant if you receive an email prompting you to click a confirmation link. Did you request the email? Make sure it’s not a phishing scam.
If possible, you should enable 2FA on the account. This makes it very difficult for an attacker, even after obtaining the user credentials, to access the account.
Monitor Your Infrastructure
It’s crucial to monitor your IT infrastructure for weak links such as disabled accounts and tie all loose ends to ensure that your data and login credentials are not available on dumpsites.
Preserve Disabled Accounts
In a corporate environment, you might want to disable an account instead of merely resetting the password. If you reset the account, the user will need new login credentials. But by keeping the old account in the database, you can establish detection rules that monitor the use of the account. If you get a hit, you know something is wrong. A password reset makes it almost impossible to distinguish between a legitimate user logon and something triggered by an attacker.
Organizations can leverage a number of tools to monitor accounts or domains for data breaches. Have I Been Pwnd is a website run by security researcher Troy Hunt. If you sign up for the service, you will receive an alert whenever your account or domain is found in a password dump.
If you are reluctant to use third-party services for your account losses, you can use a python script called pystemon that crawls different dumpsites. You can configure it to detect matches for a number of regular expressions. It’s also possible to crawl the dumpsites via Tor, making it much harder for others to check what accounts you are monitoring.
Data breaches can devastate businesses if they are not handled properly. As with most cyberattacks, it’s almost impossible to prevent them from happening entirely, but you can raise the bar to make it very difficult for miscreants to achieve their goals. The key to success is prevention and preparation.
Introducing IBM X-Force Incident Response and Intelligence Services
Koen Van Impe is a security analyst who worked at the Belgian national
CSIRT and is now an independent security researcher.
He has a twitter feed (@cudes...