Contents:
A data breach occurs when an unauthorized individual gains access to confidential, sensitive, or protected information. Without permission, files from a data breach are viewed and/or shared.
Phases of a Data Breach
In order to be able to successfully perform a data breach, the attackers usually work in phases.
Reconnaissance
In this stage, the adversary is trying to gather important information that can later be used to plan future operations. The information that attackers are going after could represent details of the victim organization, infrastructure, or staff/personnel.
Resource Development
When thinking about Resource Development we are looking at all of the techniques that involve the attackers creating, purchasing, or compromising/stealing resources that can be used to support the victim’s targeting.
Initial Access
Initial Access is a set of strategies that employ a variety of entrance vectors to acquire a footing in a network. Targeted spearphishing and exploiting vulnerabilities on public-facing web servers are two of the methods used to acquire a foothold in the target network.
Execution
Execution refers to the strategies used to create adversary-controlled code that runs on a local or remote system. Malicious code execution techniques are frequently combined with techniques from other strategies in order to achieve larger purposes, like network exploration or data theft.
Persistence
The malicious actor is attempting to keep its footing. Adversaries employ persistence strategies to maintain access to systems despite restarts, changing credentials, and other disruptions that may prevent them from doing so.
Privilege Escalation
The attackers can enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Commonly they take advantage of system weaknesses, misconfigurations, and vulnerabilities.
Defense Evasion
Uninstalling/disabling security software or obfuscating/encrypting data and scripts are examples of defensive evasion techniques. Attackers exploit and manipulate trusted processes to conceal and disguise their malware.
Credential Access
Techniques for stealing credentials such as account names and passwords are referred to as credential access. Keylogging and credential dumping are two methods for obtaining credentials. Using genuine credentials can offer attackers access to systems, make them harder to detect, and allow them to create additional accounts to further their objectives.
Discovery
The term “discovery” refers to tactics an adversary could employ to learn more about the system and internal network. These strategies aid the attackers in observing their surroundings and orienting themselves before determining how to respond. They also allow opponents to investigate what they can influence and what’s surrounding their entrance point to see whether it can help them achieve their present goal.
Lateral Movement
Gaining access to their goal frequently involves pivoting via many systems and accounts. To execute Lateral Movement, adversaries may install their own remote access tools or utilize genuine credentials using native network and operating system capabilities, which may be more stealthy.
Collection
Collection refers to the tactics adversaries may employ to acquire information as well as the sources from which the information is gathered that are significant to achieving the adversary’s goals.
Command and Control
Attackers frequently try to imitate regular, anticipated traffic to evade detection, therefore command and control techniques are used by adversaries to interact with devices under their control within a victim network.
Exfiltration
Exfiltration refers to the techniques that attackers might employ to take data from a network. Malicious actors frequently bundle data after collecting it in order to escape discovery when deleting it.
Impact
Malicious actors employ impact tactics to interrupt availability or undermine integrity by influencing business and operational processes. They can utilize these tactics to achieve their final purpose or in order to provide cover for a breach of confidentially.
Data breach vs Data Leak
A data breach occurs whenever a bad actor (such as a hacker or a hostile insider) attempts to get access to sensitive information. A breach is defined as an act with a malicious purpose that results in monetary, political, reputational, or national-security benefits.
A data leak is a different issue, as a company’s website may lack the necessary (and simple) access control measures to prevent visitors from accessing the information of everyone else. As a result, any user (malicious, curious, or unintentional) may enter a different record number in the browser and have complete access to that record.
Unfortunately, we have no way of knowing if the information exposed in the incident was accessed or misused. It’s possible that certain hacking groups have been using it for years, or that it’s never been used at all.
A Few Examples of Important Data Breaches
Yahoo
In 2013 Yahoo suffered a data breach. The event was first publicly reported by the business in December 2016. This happened while the company was in a process of being acquired by Verizon at the time, and it was thought that a hacker gang obtained the account information of over a billion of its subscribers. Yahoo reported less than a year later that the real number of user accounts exposed was 3 billion. Yahoo claimed that the updated estimate did not indicate a new “security problem,” and that it was sending emails to all “affected user accounts.”
Despite the onslaught, the Verizon transaction was completed, although at a lower cost.
Sina Weibo
Sina Weibo is one of China’s most popular social platforms, with over 600 million members.
The business reported in March 2020 that an attacker had gained access to a piece of its database, affecting 538 million Weibo users and their personal information, including actual names, site usernames, gender, location, and phone numbers. The database was reportedly sold on the dark web for $250 by the attacker.
Weibo has been instructed by China’s Ministry of Industry and Information Technology (MIIT) to improve its data security procedures in order to better safeguard personal data and to alert users and authorities when data security problems occur.
Sina Weibo said during a statement that an intruder acquired publicly available information by utilizing a tool designed to assist users to find their friends’ Weibo accounts by providing their phone numbers, but that no passwords were compromised. However, it acknowledged that if passwords are repeated on other accounts, the disclosed data may be used to link accounts to passwords.
Marriott International (Starwood)
Following a cyberattack on its systems in September 2018, Hotel Marriot International revealed the disclosure of sensitive information belonging to half a million Starwood guests.
During the inquiry, Marriott discovered that illegal access to the Starwood network was occurring since 2014.
Names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences were among the data collected. Payment card numbers and expiration dates were also included in certain cases, but these were presumably encrypted.
Following the incident, Marriot conducted an investigation with the help of security specialists and announced steps to phase out Starwood systems and expedite network security upgrades.
LinkedIn suffered a data breach in 2012 when it reported that attackers had obtained 6.5 million unassociated passwords (unsalted SHA-1 hashes) and uploaded them on a Russian hacker site.
The full extent of the tragedy was not disclosed until 2016, however. The same hacker who sold MySpace data was discovered selling the email addresses and passwords of 165 million LinkedIn members for merely 5 bitcoins (about $2,000 at the time).
Dubsmash
Dubsmash, a video messaging service located in New York, had 162 million email addresses, usernames, PBKDF2 password hashes, and other personal data including dates of birth stolen in December 2018, and all of this was subsequently sold on the Dream Market dark web market the following December. The data was part of a larger collection that included MyFitnessPal (more on that below), MyHeritage (92 million), ShareThis, Armor Games, and the dating app CoffeeMeetsBagel.
Dubsmash confirmed the compromise and selling of personal information and offered password-changing assistance. It did not specify how the attackers gained access, nor did it clarify how many people were affected.
Best Practices to Prevent a Data Breach
Patching and updating software
Patch management refers to the process of acquiring, reviewing, and deploying fixes on an organization’s systems.
When a vulnerability is discovered, patch management distributes and installs patches to your program.
A patch is a piece of software code that enhances the functionality of an existing application. When a security problem is found or the functionality of a program needs to be improved, software engineers write a patch to fix these issues. As a result, a thorough redesign of the program is out of the question. Patches may be applied to your whole network, including software/operating systems, routers, IoT devices, servers, and more.
Using Only High-grade encryption
End-to-end encryption, or E2EE, is a method of securing data transfer between two parties by encrypting it such that only the intended receiver can decrypt/read it.
Third parties, such as internet or app service providers, hackers, or even governments, are unable to read or meddle with the communication while it travels to its destination. Simply said, end-to-end encryption prevents non-participants from accessing intimate conversations by encrypting communication on both ends (sender and recipient).
Third parties will be unable to access the cryptographic keys needed to decode the communication in this manner.
Creating rigorous BYOD access-based security policies
The majority of BYOD access-based security policies concerns are influenced by human error.
It’s vital to establish a BYOD security strategy, but it’s even more critical to educate your employees about it. Your workers should be aware of what they can and cannot do with their personal devices, why security measures are important, and what will happen if they violate the policy.
Employees must realize that establishing a BYOD strategy will safeguard the entire company from data breaches and other cybersecurity risks.
Using strong credentials and multi-factor authentication
You should implement two-factor or multi-factor authentication. When discussing the importance of passwords it is important to know that if breached, all passwords must be reset as part of the protocol.
The accounts used should never have the same password for all accounts/logins, as this is a sure way for the malicious actors to gain access to sensitive data.
Educating employees
Almost every business nowadays has an online presence. As useful as the Internet is, it is also a hazardous environment, with threats hiding around every corner.
The importance of raising awareness and strengthening security measures cannot be overstated. What’s more unfortunate is that workers are the weakest link in any company’s security.
Because of their lack of knowledge, they are vulnerable to hackers who enjoy nothing more than preying on unwitting victims.
Wrapping Up
With the right knowledge and proper practices, as well as a reliable suite of solutions, staying safe from data breaches can come easy.
As always, Heimdal™ Security can help you with the latter. If you want to know more about which of our company products are best suited for your needs, don’t hesitate to contact us at sales.inquiries@heimdalsecurity.com or book a demo.