Stealing Sensitive Data One User at a Time: The Unlikely Headline

Stealing Sensitive Data One User at a Time: The Unlikely Headline

Sensitive Data Attacks vs. Typical Headlines

As I write this, you are likely reading something about the Equifax breach. The attention it is getting is well-deserved. So many millions of personal records and sensitive data exposed are always a cause for concern. However, it feeds an unhealthy cycle.

Huge breaches happen when attackers break a web application—or get lucky with phishing and pull a huge spreadsheet off the first desktop they hit. This causes the press to believe that all the worst attacks look exactly alike. The headlines then fail to call attention to the attacks on sensitive data that professional bad guys are slowly but surely grinding away at every day. Maybe these attacks don’t extract hundreds of millions of records all in one go. But, if you add up all the sensitive data exposed in the daily waves of bad guy grinding attacks, you’ll find almost all the information from a big breach like Equifax was probably already out there– taken a slice at a time through user attacks.

These carefully planned, less exciting—but ultimately more dangerous attacks—are happening all the time without many even realizing it. They start with phishing or bad links to capture a single user’s account or laptop. Then, the bad guys fly under the radar while scoping out your environment and amassing privileges so they can spread out, dig in, and help themselves to a smorgasbord of your most sensitive data.

Unlike the big headline grabbers, these user attacks usually don’t target some flaw or vulnerability in software. Rather, they target users being users. The regular user is tripped up by phishing, but it is the administrative user attack vector that makes them so successful. They look for the places where admins are losing the battle with their to-do list to exploit common bad configurations in IT platforms like Active Directory or File Shares. Things that any admin would fix – and probably has on a long list to do at some point – but are under the threshold for attention because their focus is just as wrapped up in the headline-grabbing stuff.

Motivation for User Attacks

The motivation for the vast majority of these attacks is simple: money. What translates into money is essentially a complete spreadsheet. The bad guys are compiling a record on all of us. Every breach fills in more cells of our sensitive data – our phone numbers, our credit card numbers, our addresses, our medical records, etc. It is easy to imagine that a huge dump like Equifax will fill in a number of empty cells. The challenge is to imagine how many of those cells were already full because of the daily, grinding attacks that pull out dozens or hundreds of pieces of data. If we’re going to win the fight to protect our data, then we need to decide collectively that every attack that succeeds is a problem–even if it never makes the headlines.

Want to learn more? Watch this 4-part video training series in which Active Directory security experts from STEALTHbits Technologies guide you through critical AD security concepts as well as three categories of AD attacks (CPEs offered).

Jonathan Sander is STEALTHbits’ Chief Technology Officer (CTO). As CTO, he is responsible for driving technical innovation, ensuring that STEALTHbits is well positioned in their current and emerging markets, and he will also lead corporate development efforts. Jonathan also plays the role of evangelist at STEALTHbits venues large and small. Prior to STEALTHbits, Jonathan was VP of Product Strategy for Lieberman Software.

As part of Quest Software from 1999 through 2013, he worked with the security and ITSM portfolios. He helped launch Quest’s IAM solutions, directing all business development and product strategy efforts. Previous to that, Mr. Sander was a consultant at Platinum Technology focusing on the security, access control and SSO solutions. He graduated from Fordham University with a degree in Philosophy.

Leave a Reply

Your email address will not be published. Required fields are marked *

*