Data breach. There are fewer times that two simple words invoke so many fearful thoughts in the mind of a C-level executive.
How did it happen?
What was taken?
What are we going to do?
Who was responsible?
There are many routes an organization may explore in terms of breach mitigation, but let us start at the beginning. This blog will cover some of the simple basics of a data breach – what it is, ways they are caused, etc. – and some simple steps that an organization can take to mitigate their risk of becoming tomorrow’s headline.
Data Breach Definition
In simple terms, a data breach is an event where someone obtains access to information or data that they were not authorized to see.
Who Causes a Data Breach?
These are typically the three different types of people that can cause a data breach for an organization:
Sometimes, a data breach can be accidental. Maybe someone working for the organization had inappropriately elevated privileges. They then view a folder or file by accident or purely through the destructive force of curiosity. This person had no malicious intent – they were just in the wrong place at the wrong time. In cases with an accidental insider, the information exposed is generally safe, but the breach must be addressed.
This is a similar situation to the accidental insider, but this person has malicious intent. Alternatively, maybe they had the proper level of credentials but were set on getting revenge against their current or former employer. The malicious insider is one of the scariest scenarios in this entire blog because someone who was trusted performs the breach intentionally. The classic example that many point to while explaining the dangers of the malicious insider is Edward Snowden. While working for the NSA as a contractor, Snowden was able to leak highly classified information about controversial government programs.
Malicious Outside Actor
A malicious outside actor is any outside entity that obtains unauthorized access with malicious intent. This group can contain a very wide range of people with many different motives, ranging from a bored teenager to a government-sponsored hacker team. Damage from malicious outsider breaches can be crippling. Recent large-scale examples of malicious outsider breaches include the Target and Sony attacks.
What Causes a Data Breach?
Many different factors come into play to cause a data breach. A few of the most common ones are listed below:
Exploits in the System
Many times by accident, a computer or system is left open for attack due to a bug or vulnerability in the code. This is actually a pretty common occurrence. Although most organizations deploy patches to fix these, oftentimes, administrators aren’t able to institute the fix right away, can’t patch the exploit for a variety of reasons, or are simply unaware of the exploit, to begin with. In many cases, hackers will intentionally target these known exploits that have remained unpatched on systems, leading to breach.
Weak and Re-Used Passwords
Weak and reused passwords are ripe for exploitation through attacks like credential stuffing. Organizations must put rules in place to up their password security game. Mandating multiple character types and lengths are only the beginning.
It is not uncommon for employees to use their work email when registering for a variety of online services that are required for their job. The risk is if any of those services are compromised, an attacker would attempt to use the email address and password to access corporate or other online resources. If they can gain access to just a user email they can then use that access to reset the password on another system. This will work even if that leveraged a different password, as most systems email you a password recovery link.
NIST, via 800-63b, and Microsoft had taken what many feel is a radical approach to password policies. The logic behind this changeover 3 decades in the making is the policies we have previously used have forced users to create unsecure passwords or reuse them. This practice is slowly changing.
A targeted attack is a specific, directed attack aimed at an individual organization. Targeted attacks can be multi-faceted, employing multiple items on this list to launch a successful hack. Targeted attacks are generally planned out and do not rely on the “wide net” tactics employed in other more opportunistic breaches. They can include anything from impersonating a fellow employee or management to obtain valuable information, to purposefully sending spoof emails to specific workers.
Overprovisioned Access Rights
As mentioned earlier, this type of breach is most often associated with insiders. Giving employees access to resources that are unnecessary to their job functions leaves the door wide open to a data breach, intentional or accidental. Although this may seem easy to combat, it can easily happen when an employee changes roles or new hire’s access rights are modeled off of another employee’s access.
It is likely that most people reading this post have had some sort of first-hand encounter with malware in their lives. Malware is a software developed for the sole purpose of causing harm to your computer. It can infect your system in many ways, but most often is accomplished by opening an email attachment or clicking a dangerous link. Being infected with malware usually gives attackers unfettered access to a system, which they use as a launching point to move laterally and vertically within enterprise networks in their mission to obtain valuable information.
Phishing or Spoofing
Sometimes associated with the spreading of malware, phishing is the act of sending emails while spoofing a reputable source. Usually, the goal is to get the victim to click a link or download a file containing malware, or trick them into sending money or information back to them.
Stolen credentials are often obtained via a phishing attack. A user will get an email spoofed to look legitimate and click a link to logon to a perfectly mimicked website. Once they type in their credentials to log in, the attacker has their information. Since most people re-use passwords, this one set of stolen credentials can potentially be used to steal information from several accounts, or gain access to valuable information (especially when combined with overprovisioned access!)
What to do in The Event of a Data Breach
Although a data breach is a terrible (some say even inevitable) event, there are steps organizations can take to minimize damage to their data and systems, as well as their brand and consumer confidence. The most important thing an organization can do is prepare.
Do you have an internal incident response capabilities and a defined plan? If not, consider signing a retainer with a firm providing those services. How about your legal counsel? Do they have the skills and knowledge to guide you through the morass of notification and response obligations? When was the last time your teams held a breach exercise to test your plan? Are there clear roles and responsibilities so as to act and speak with one message?
In the middle of a data breach is not the time to be figuring out the answers to these questions; a successful response requires preparation. Although this does not cover nearly everything that will need to be done, and response activities should be coordinated by the incident response team and legal counsel, these are three things that many organizations do in response to a breach.
Alert those Affected
This step might seem obvious, but the sad truth is that it is not. Trust is very important in business. Although it may be tempting to try to sweep the case under the rug, honesty is the best policy. Moreover, the penalties can be high for concealing a data breach from the public and government.
Reset Account Passwords
Whether it is employees or paid users to your company’s service, an important step is resetting all account passwords. This function has dual purposes: it can potentially lock the attacker out of the account they may have stolen the credentials for, and it forces users to change their potentially compromised passwords.
Credit Monitoring Services
Offerings of free credit monitoring services in light of a breach have become commonplace. Short of offering cash, this is generally the compensation offered to those affected by a breach.
How to Prevent a Data Breach
Although there are many things that organizations can do to mitigate the risk of a data breach, there are some simple steps that they can take to increase their security posture.
Implement a Security Policy or Program
Implementing a security policy or program focused not only on protecting an organization’s sensitive data, but the credentials that supply access to it is critical to mitigating risk. Why? Because credentials and data are the two common denominators in every breach scenario. If you are interested in uncovering critical credential and data risks, Stealthbits offers a free assessment you can take advantage of! Take a deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Abide by the Principle of Least Privilege (POLP)
One of the most important things an organization can do is abide by the principle of least privilege. This means ensuring all employees and accounts (especially privileged users) only have the level of access necessary to perform their job’s function. Again, particularly for privileged users, it’s recommended that modern approaches to Privileged Access Management (PAM) be leveraged to eliminate the existence of privileged accounts altogether when they’re not in use. By making sure all users only have access to the resources they need, the risk any single account poses if compromised is diminished exponentially.
Implement an Enterprise Password Enforcement Policy
By implementing an organization-wide enterprise password enforcement policy, your organization can be safeguarded against many types of authentication-based attacks. This is accomplished by disallowing weak or already-compromised passwords from being used – regardless of whether or not they meet complexity requirements – further enforcing password hygiene and reducing the opportunity for attackers to crack or guess passwords in automated or manual fashions.
Stop forcing scheduled password changes and remove complexity rules. The basic guidelines are: require two-factor authentication, require the password is 14 characters or more and is not on a breach database. If the password is detected in a compromised database, require a change. Otherwise, it can be your password forever.
Educate Your Employees
Maybe the most important item on this list, organizations must spend the time and resources to educate their employees on how to spot things like a phishing attack. Make it a mandatory onboarding activity! This little investment can pay dividends in the future. Training that helps prevent just one breach is a worthwhile investment.