- What is a data breach?
- Why data breaches occur?
- 1 Human error
- 2 Insider Threat
- 3 Social Engineering / Phishing
- 4 Physical action
- 5 Privilege Misuse Data Breach
- Types of Data Breaches
- 1 Spyware malware
- 2 Ransomware
- 3 SQL Injection
- 4 Unencrypted backups
- 5 Unrestricted API calls
- 6 Access Management and Misconfigured cloud storage
- 7 Malicious Insider Threat
These days data breaches are as common as such natural events as rain and snow. Every week you hear a story about it. The result is all the same - databases hacked and exposed.
The consequences of company data breaches are pretty dire.
- Sometimes it is the company’s reputation that suffers.
- Other times, the breach results in product shut down, as happened with Google+ when the news broke that there were some critical security issues.
Oddly enough, until very recently, companies weren’t taking the threat of data breaches seriously. Awareness of the real danger of data breaches started to grow after the frequency of data breach events began to grow exponentially.
In this article, we will explain:
- Why data breaches are happening?
- What are seven major types of data leaks?
- How to avoid data breaches?
A data breach is an abnormal event caused by a variety of factors connected by one common factor - inherent flaws of the security system that can be exploited.
The standard definition of a data breach is “a security event in which data intended for internal use is for some reason available for unauthorized access.”
The nature of the so-called “internal data” may vary, but it is always something related to business operation. It might be:
- Customer or employee personal data (for example, name, address, social security number, other identifiable data)
- Payment or credit information (for example, in-app payments)
- Access data (login, password, et al.)
- Corporate information (any internal documentation regarding projects or estimates, workflow process, status reports, audits, performance reviews, any financial or legal information, etc.)
- Communication logs.
There are five most common causes of data breaches. Let's look at them one by one:
Believe it or not, human error and oversight are usually among the main reasons why data breaches happen.
The imposing nature of the corporate structure provides a false sense of security and instills confidence that nothing bad is going to happen inside of it.
This detail paves the way for some slight carelessness in employee behavior. Technically, human error is an unintentional misconfiguration of document access. It may refer to:
- general storage accessibility (for example, private data being publicly available)
- the accessibility of specific documents (for example, sending data to the wrong person by accident).
In this case, you have an employee with an agenda who intentionally breaches confidential and otherwise sensitive data.
Why does it happen?
Disgruntled employees are one of the reasons. One worker may feel wronged about his treatment and position in the company and this may lead to leaking information to the public or competition.
Then there is corporate spying. The competition may convince one of the employees to disclose insider information for some benefits.
In both cases, it is important to identify the source of data leaks (more on that later on).
Social engineering is probably the gentleman's way of doing company data breaches.
This is when a criminal, who pretends to be an authorized person gains access data or other sensitive information by duping the victim.
Old-fashioned SE is when a criminal poses as somebody else and exploits the trust of the victim, as when Kevin Mitnick accessed the source code of the Motorola mobile phone by simply asking for it.
Social engineering in an electronic communication is known as phishing.
In this case, the perpetrator imitates trustworthy credentials (the style of the letter, email address, logos, corporate jargon, etc.) to gain access to the information. Phishing is usually accompanied by malware injections to gain further access to the company's assets (more on phishing later on.)
Physical action data breach (aka "old school data breach") - when the papers or device (laptop, smartphone, tablet, etc.) with access to sensitive information is stolen.
Since companies encourage employee omnipresence and work on the go, this is a severe threat. How does it happen? A combination of sleight of hand and employee inattentiveness.
However, due to increased security practices, and multi-factor authentication, the threat of stolen devices has significantly decreased.
What is data privilege misuse? It is the use of sensitive data for purposes beyond the original corporate intent (like subscribing a corporate email list to a personal newsletter or changing the documents without following the procedure).
Improper use of information is one of the most common ways corporate data breaches occur. The difference between privilege misuse and human error is the intention. However, privilege misuse is not always due to malicious intent. Sometimes the cause is inadequate access management and misconfigured storage settings.
Privilege misuse results in various forms of data mishandling - like copying, sharing, and accessing data by unauthorized personnel. Ultimately, this may lead to a data leak to the public or black market.
In this section we will describe 7 most common types of data breaches and explain the most effective methods of preventing cyber breaches.
Spyware is a type of malicious software application designed to gather information from the system in a sneaky way. In a nutshell, spyware is keeping logs on user activity. This type of information includes:
- Input information - access credentials like logins and passwords. This type of spyware is also known as keyloggers.
- Data manipulation of all sorts (working on documents, screening analytics, etc.)
- In addition, this can be used to capture an employee’s communication.
- Also, spyware can monitor video and audio input (specific for communication applications). Skype was known to have this vulnerability a couple of years ago.
- Files opened - to analyze the structure of the information and understand specific business processes;
How does it happen?
The most common way of getting a piece of spyware is by unknowingly downloading a software program with a bit of spyware bundled with it. Also, spyware can be automatically uploaded through a pop-up window or redirect sequence. In a way, tracking cookies and pixels are similar to the spyware that acts almost in broad daylight. However, actual spyware is much more penetrative and damaging.
Usually, spyware is used in the initial stages of a hacking attack to gain necessary intelligence. In addition to that, spyware is one of the tools used for corporate spying.
An excellent example of a spyware attack is the WhatsApp messenger incident. In May 2019, Pegasus spyware attacked WhatsApp. As a result, the malware had access to user’s ID information, calls, texts, camera, and microphone.
How to fight spyware?
- Two-factor authentication to prevent straight-up account compromise;
- Keep login history with details regarding IP, time and device ID to identify and neutralize the source of unauthorized access;
- Limit the list of authorized devices;
- Install anti-malware software to monitor the system;
Ransomware is a type of malware used to encrypt data and hold it for ransom in exchange for the decryption key. The ransom is usually paid in cryptocurrency because it is harder to trace.
Ransomware is a no-brainer hacking option - its goal is to profit from the user’s need to regain access to the sensitive data. Since modern cryptography is hard to break with brute force, in the majority of cases, victims have to comply.
Usually, ransomware is spread by phishing emails with suspicious attachments or links. It can proceed due to careless clicking. Ransomware is also distributed through so-called drive-by downloads when a piece of malware is bundled with the software application or automatically uploaded by visiting an infected webpage.
For years, ransomware attacks were happening to individual users. Recently, ransomware attacks became frequent on larger structures.
In March and May of 2019, ransomware virus, RobbinHood, attacked the government computer systems of Atlanta and Baltimore. It encrypted some of the cities databases and virtually paralyzed some aspects of the infrastructure.
The cities governments were forced to pay the ransom to regain control over their systems. As it turned out, a combination of the following factors made the breach and subsequent ransomware attack possible:
- lack of cybersecurity awareness of the personnel;
- outdated anti-malware software;
- general carelessness regarding web surfing.
How to avoid getting ransomware?
- Use anti-malware software and keep it regularly updated.
- Make a white list of allowed file extensions and exclude everything else.
- Keep data backups in case of emergencies like ransomware infections. This detail will keep the damage to a minimum.
- Set up a schedule for updating restoration points.
- Segment network access and provide it with different entry credentials to limit the spread of malware.
These days, SQL injection is probably one of the most dangerous types of malware. It aims for data-driven applications. The use of such tools in business operations makes SQL injection a legitimate threat to a company’s assets. Data analytics, machine learning datasets, knowledge base - all can be in danger.
SQL is one of the oldest programming languages. Its field is data management in relational databases (i.e., the ones with data that relates to certain factors, like user IDs, prices for products, time-series data, etc.). These are the majority of databases.
It is still in use because of its versatility and simplicity. These very same factors exploited by cybercriminals. The SQL injection is used to perform malicious SQL operations in the database and extract valuable information.
Here’s how it works:
- To begin with, there is a flaw in the security of the page, an exploit. Usually, it is when the page involves a user’s direct input into the SQL query. The perpetrator identifies it and creates his input query known as the malicious payload.
- Due to the simplicity of the system, this type of command is executed in the database.
- With the help of the malicious payload, a hacker can access all sorts of data ranging from user credentials to targeting data. In more sophisticated cases, it is possible to gain an administrator-level of control over the server and run roughshod over it.
- In addition to this, a hacker can alter and delete data, which is a piece of awful news when it comes to financial and legal information.
One of the most infamous incidents of SQL injections, that led to a massive data breach, is the 2012 LinkedIn incident. It resulted in a data leak of over six million passwords.
Curiously, LinkedIn had never confirmed that the leak was caused by SQL injection despite all the facts pointing to it. The reason for this is simple. SQL injections happen because they are allowed to occur by negligence and overconfidence. They are straightforward to predict - if there is the possibility, sooner or later it will be exploited. This nuance makes SQL injection a very embarrassing type of breach.
How to prevent data breaches with SQL injection? There are several ways:
- Apply the principle of least privilege (POLP) - each account has access limited to one specific function and nothing more. In case of a web account, it may be a read-only mode for the databases with no writing or editing features by design.
- Use stored procedures (aka prepared statements) to limit SQL command variables. This feature excludes the possibility of exploiting the input query.
Backup storage is one of the critical elements in the disaster recovery strategy. It is always a good thing to have a copy of your data just in case something terrible happens to it.
On the other hand, encryption is one of the critical requirements of modern asset management. It is a reasonable approach. If the data is encrypted, it hurts less if it leaks since it not useful in that state. And, it seems obvious to have storage and transmission channels encrypted by default.
However, backups are usually left out of the equation. Why? Because, by their nature, backups seem to be a precaution in and of themselves and thus treated as a lesser asset for the company’s current affairs.
Add to that the aforementioned false feeling of safety behind a corporate firewall. Also, backup encryption is an additional weight on the security budget, which is often already strained. The latter is usually the reason why encrypted backups are not a persistent practice.
This is a big mistake because one party’s carelessness is another person’s precious discovery.
The most common problem with backups is weak authentication like a simple combo of login and password without any additional steps.
How to prevent data breaches due to unencrypted backups? There are several ways:
- Encrypt your backups with specialized software
- Keep the backup storages to the same security standard as main servers (i.e., internal network-only type of access with two-factor authentication by default)
The most egregious example of a data breach via unencrypted backup happened in 2018. The Spanish survey software company Typeform had experienced a massive data breach due to unencrypted backups being exposed and downloaded by cybercriminals. Numerous companies and even government organizations were using the service. That made surveys a rather diverse source of sensitive information, including person identifying data and payment-related information.
The breach had severe repercussions for the company. In addition to being forced to apologize to the customers, Typeform started losing their clients. Many of the companies had decided to opt-out of the service. Don’t be like Typeform, encrypt your backups.
In some ways, API is almost like Pandora’s box. You know what it is supposed to do, but you never really know what kind of trick can be pulled off with its help. As one of the essential tools for the application operation, API is a treasure trove of information for those who know where to look.
That is how the whole Cambridge Analytica debacle happened with Facebook. Hackers had exploited the progressive structure of Facebook API (which provided rather deep access to user data) and turned it into a powerful tool for diverse data mining.
As a result, they managed to collect the data of more than 50 million users. Among the data gathered were such things as likes, expressed interests, location data, interpersonal relationship data, and much more.
What happened next? The scandal got so big, Facebook CEO Mark Zuckerberg was forced to discuss the matter at Senate hearings. In addition to that, the company received a permanent stain on their reputation and a massive user withdrawal. The subsequent investigation led to a whopping $5 billion fine by the Federal Trade Commission.
Such API breaches could have been avoided if it was a bit more thought-through.
How can API become a data breach risk?
- Anonymous access (i.e., access without authentication)
- Lack of access monitoring (may also occur due to negligence)
- Reusable tokens and passwords (frequently used in brute force attacks)
- Clear-text authentication (when you can see input on the screen)
How to prevent data breaches and make API safe and secure? There are several ways:
- Provide thorough access restriction and delimit what kind of data is accessible via API and that which is not;
- Use rate-limiting to keep data transmission under reasonable boundaries. This feature will prevent API from being used in a data mining operation.
- Use anomaly and fraud detection tools to identify suspicious behavior in the API to block it.
- Perform audit trail to understand what kind of request is going through API
- Clearly explain to users which types of data you are sharing with third parties via API
Cloud security is probably the most robust field of cybersecurity as it requires a lot of auditing and constant testing of the system for all sorts of weaknesses. One of the biggest problems with cloud storage is access management due to misconfigured cloud storage settings.
Here’s what it means:
- Access management in cloud infrastructure is a mess. All users in the system have certain levels of access to certain kinds of data.
- Because there is a need to share information to enable business operation, there is a high volume of access turnaround.
- Sometimes it goes unchecked, and unauthorized users may end up having access to sensitive data they are not supposed to have access to.
At the same time, there is a thing with cloud security settings. Maintaining databases and storages in the cloud means you need to keep an eye on the accessibility of the information. Since there is a lot of data coming in and out, it is essential to keep things strict.
Here’s what may happen.
- Some of the data may end up on the public side due to oversight and inadequate default accessibility settings.
- The data may be visible on the outside, and it is a significant exploit for cybercriminals.
- With a little help of specialized search engine requests, one can get a lot of exciting stuff.
A good example of cloud misconfiguration is the U.S. Army’s Intelligence and Security Command AWS server security mishap. A stash of classified NSA documents was publicly accessible due to an access configuration oversight. It was that simple. Upon sharing the folder, someone failed to check the accessibility status and made the thing public.
- Here’s how to avoid this kind of data breach
- Check the cloud security configurations upon setting up particular storage. Be sure it is strictly private.
- Use access management tools to keep an eye on security configuration. There are third-party tools that can routinely check the state of security configurations and detect issues upon their occurrence.
Insider Threat is probably the most persistent source of data breaches. You never know what may trigger this kind of behavior. While the aforementioned types of data breaches are all about the technology, this one is about a person being nasty and acting maliciously.
Aside from human error and negligence (that leads to such types of data breaches as malware and access misconduct), there are three main types of malicious insider threat:
- Disgruntled Employees - this kind of insider threat is all about getting back at those who did the particular employee wrong. According to a study by Gartner, 29 percent of employees have stolen corporate data for personal gain after quitting. Then there is the 9% of those who just wanted to sabotage the process one last time.
- Second streamers are much more serious trouble. These are the people who systematically disclose sensitive information for personal gain and supplementary income. According to the Gartner study, these are 62% of all insider threats. Second streamers are dangerous because they know what they are doing and they try to remain in the system for as long as possible without getting caught. In this case, data breaches occur in a slow, barely detectable manner, disguised as a casual business process.
There are several ways to avoid data breaches caused by insider threat:
- Implement strict access control over sensitive data. If there is a document to be shared with an unauthorized person - set a limit of accessibility and disable copying of the document.
- Keep thorough activity logs on what is going on within a system. Set an alarm for suspicious activity like unusually large data exports and copying (like the whole contact database transfer and so on) or unauthorized access. Every cloud platform has its own logging tools. For example, here’s how this thing works on Google Cloud.
- Perform an audit trail to identify the source and determine the context and content of the anomalous event, and identify the source of anomalous activity. This can be handled by Data Loss Protection software like McAfee DLP.
In the age of big data and exponentially growing cloud services - data breach is just one aspect of everyday life. It is definitely an unfortunate thing if it happens, but as it was explained above - it is far from inevitable.
All it takes to avoid data breaches from happening is keeping a close eye on what is going on with the data and where it is going. Knowledge is half the battle won - you need to be cautious about the value of your data and the ways it can be exposed.
In this article, we have shown you exactly how to lessen the risks of data breaches and wholly avoid such events.
Want to improve your data security?