Data breaches – a game of Russian roulette, carefully selected targets or exploiting the circumstances?

Share this post:

From a criminal viewpoint, cybercrime has grown into an international and profitable business, one among other business fields. Behind data breaches one can usually find hacker groups supported by authoritarian governments, independent criminal groups or individuals skilled in information technology who have fallen onto the wrong side of the law, whose day jobs involve scanning through corporate web interfaces for gaps the size of a single line of code or malware. Tens or even hundreds of thousands of different viruses, malware and ransomware are coded every day – either completely new ones or variations of existing malware – and are either released into the public web or purposefully used to target selected companies, using a variety of methods. 

As a result of digitalization, corporate operational environments and methods have radically changed. The usability, controllability and protection of data have been made increasingly complex through the use of cloud solutions, device and network virtualization, using one’s own devices and remote work. They have also resulted in an increased number of risks, as well as system architectures and integration capacities becoming more complex. On the other hand, the digitalization has liberalized the corporations to choose various technological solutions according to their requirements or needs. 

Join our EMEA Security Summit to find out more on how to secure your business from data breaches

Carelessness or indifference eventually backfire 

No precision solutions targeting an individual information security threat, or any wider corporate information security architecture or technology solutions can be considered entirely watertight. As a general starting point, one may always consider companies to be subject to several vulnerabilities or clear information security gaps in relation to their networks or devices. Software developers alone release patches on a nearly daily basis to address any observed faults. Information security threats caused by human carelessness or indifference make up an entire chapter of their own. 

When considering an intentional and malicious attack targeting company information or other valuable assets while also accounting for corporate information security gaps, how do data breaches emerge in practice? Is it entirely due to chance and bad luck that exactly our company was targeted, or was the attack underlaid by a carefully selected strategy?  In practice, should the attacker possess a clear motivation and the will to steal money or information that is confidential from the standpoint of business, there will be means to realize that attack. Phishing, social scams targeting staff or break-ins are carefully premeditated means to obtain what one is seeking. 

No point in digging a tunnel if you can walk in through the front door

How about data breaches? Valuable data are relatively easy to collect, as long as one knows where and how to look for them. 

The number of questions certainly exceeds the number of answers, just as there are more ways to steal data than to protect them. Today’s trend seems to be that the lowest-hanging fruits are picked first. We reviewed data leakages that occurred across the globe in 2020 and wanted to obtain a better understanding of the reasons behind the breaches, how they were realized and whether companies had in some way prepared for them.  
 
In all of the cases inspected, some areas had clearly failed. What kind of actions and solutions could one take to prevent comparable potential attacks? Rather than taking the time to dissect and analyze all data leakage cases, we will go through certain clear cases where a minimal amount of effort, carefulness and near-routine actions could be used to markedly improve the information security level, contributing to the more efficient prevention of data breaches. 

According to the IdentityForce website, there were approx. 80 data leakages in 2020. The list contains the largest data leakages which, according to public sources, contain considerable amounts of information. Roughly speaking, the cases can be split into the following categories:  

• Point-of-sale vulnerabilities 6x, phishing attacks 5x, 
• data leakages targeting the supply chain 8x, 
• ransom- or malware victims 7x,  
• some individual leakages related to insider threats, IDs / user credentials purchased from the black market. 

According to publicly available information, the majority of cases clearly involved unprotected databases or incorrectly configured devices. This is not academic research but a general viewpoint and consideration of the reasons why the companies included in this sample ended up as data breach victims.  

The trend appears to be that the majority of resources are directed where it is easiest to identify a gap the size of a malware program or single line of code. Even criminals possess an economical mindset focused on profits versus effort. The basic principle is that there is no point in digging a tunnel if one can walk in through the front door. 

Changing modes of operation is important in the field of information security

We will focus on two data leakage categories and how, through relatively modest expenses, technical investments and changes to one’s mode of operation, the level of information security could be clearly improved while achieving concrete reductions in the number of risks. The first change to one’s mode of operation involves using multifactor user authentication and the second change involves regular network scanning to identify vulnerabilities and configurations requiring improvement.  

A credential stuffing attack is a cyber-attack in which the attackers exploit lists containing cracked user IDs and passwords to breach corporate systems. The attack involves leveraging the massive processing capacity of attacker-controlled bots, i.e. contaminated computers connected to the web, for automation and scalability. The attackers begin from the assumption that end users, i.e. company clients, use the same familiar user ID and password combination to access all applications and services. This way it is relatively easy to break into different systems using the IDs and passwords available on the list. The Internet is full of free technology to realize the attacks. Further to phishing campaigns, attacks like this include J-Crew, Zoom, Nintendo and Activision. Additionally, it has been necessary to somehow obtain staff email user IDs. The attacks may target a wide variety of companies including, for example: Utah Pathology Services, GoDaddy, Ambry Genetics, Marriott International, T-Mobile and Carnival Cruise Lines. Many of these examples are located on the other side of the Atlantic Ocean, but in no way deviate from the usual way in which individuals typically handle their user IDs and passwords. Crossing one’s heart, how many of us can say they use a different password for every application? With regard to this, we tend to be lazy and maybe even somewhat indifferent. I can say from experience that one feels considerably more assured under the knowledge that one uses different passwords to access different applications. Then a data leakage involving those company systems that one has used will not send the entire world tumbling down. Naturally, the passwords need to be lengthy and strong. 

Changing modes of operation is important in the field of information security

What can be done, then, in case of a data breach? Your user ID has landed in the hands of attackers and the market value of the ID has declined to approx. two cents (0.02 euros).  In all likelihood, you are not even aware that your user credentials are being used all over the web to purchase different services and products. When the issue becomes public, this is bound to give rise to all kinds of stress. IBM possesses an excellent and easy-to-use solution with regard to cracked user IDs and passwords – in the case of mobile and browser applications, multifactor authentication is used.  

According to the traditional concept of justice, one is innocent until proven guilty. From the perspective of information security, a better strategy involves considering everyone to always be guilty until the evidence collected (user ID/password + multifactor authentication + automatic analysis of user activity) are sufficient to grant acquittal. Human beings are one of the weakest links of information security and their identities play a key role when planning strategies for data breaching.  

Taking control of privileged accounts and “Zero Trust” 

Privileges and the right to them are nice features among information systems since they can be used to quickly obtain the results one wishes for. However, how many privileges are ultimately available and who determines access to them?  Frequently the level of user privileges exceeds the minimum required by one’s work tasks. Overall, why should we have more privileges for doing “things” within an information system than what our work demands of us? Well-defined user privileges comprise a critical component of an information security strategy. 

From the viewpoint of an attacker, the stolen identity of a basic user is a good place to start from, but is there anything more delicious available? For sure – a privileged account. Privileged accounts are used to take care of the most critical operations of information systems and technologies. These accounts can be used to carefully prepare an attack, with it being possible to bypass many protective mechanisms. Tip: Take control of privileged accounts! 

How can one improve the end user experience and boost the productivity of work without having to compromise the level of information security? A key role is played by analytics that can be used to probe user activities in real time and to make a decision concerning the need for multifactor authentication. With reference to access management, information security is at its best when it only becomes visible to the user when needed. 

All these issues come up when discussing the concept of “Zero Trust”. Is it a product, service or something else? It is something else, that is, a strategy. The Zero Trust strategy encourages one to consider what is essential from the perspective of a given organization, and how to establish foundations to safeguard it. If one has not begun to think in this manner, now is a good time to act. 

Register to our EMEA Security Summit to find out more on how to create a Zero Trust strategy for your business

Appropriate configurations, access management and user privileges 

The other clearly discernible reason underlying data leakages involves an unprotected database or an incorrectly implemented configuration. In practice, an incorrectly implemented configuration can mean almost anything and clearly requires additional checkpoints and protective measures – ranging from code validation to the browser encryption algorithm and version, as well as database user privileges and data classification.  

According to the OWASP Top 10 vulnerability list, misconfiguration has remained among the 10 most frequently listed vulnerabilities since its inception (2013). Based on the list, reasons behind unprotected databases or incorrect configurations can be found between user-specific browser protection solutions and database back-end protection measures employed by the company. Examples of vulnerabilities: 

1. web protocols in use 
2. web server 
3. application server 
4. database 
5. custom code 
6. installed virtual machines 
7. services in use 
8. open ports etc. 

How could these incorrectly defined configurations be efficiently detected to fix the situation as quickly as possible? There are of course many different ways, depending on where the system vulnerability lies. For example, production and development environments should be kept separate from another, with both featuring their own user accounts. Overall, access management and user privileges should be defined at a level, where work can be done using a minimal set of rights, and the application architecture should be clearly segmented. Subnetworks and domains should be clearly segregated from one another and protected using e.g. firewalls. 

The efficient and rapid detection of misconfigurations is important

The Risk Manager module, which is a part of IBM’s SIEM system, offers a very fast, efficient and visual solution for evaluating configurations that have been set. In practice, it checks the configuration settings of each device – e.g., firewall, router, connector and IPS device settings. Risk Manager correlates vulnerability data with third-party information sources and classifies devices according to risk likelihood and repercussions. With Risk Manager it is possible to check the network connections of a device in real time, based on the applications used, ports, protocols and e.g., websites used by the device for communication purposes. 

The configuration monitor makes it possible to check and cross-compare configurations between multiple devices, manage information security practices and changes in the network environment. The solution also makes it possible to check the configuration history of a device, network interfaces and rules (firewall, router, connector, IPS, etc.) and compare between-device inconsistencies and configuration changes that pose a risk to the company. 

Using graphical network topology, it is possible to visualize OSI 3-compliant topologies pertaining to the physical network infrastructure and connectivity. The topology is constructed using configuration settings available on the devices. This makes it possible to visually determine how the devices communicate with one another and which route the devices employ for communications, including ports, protocols and rules. 

Risk Manager additional features a so-called Policy Monitor that gathers information on device configurations, network traffic data, network and information security events, as well as vulnerability data. Based on this information, the Policy Manager establishes a risk level and an appropriate response for mitigating that risk. Risk Manager also includes a template for different standards for privacy and regulation adherence, including PCI DSS, HIPAA, GDPR and ISO 27011.  

The QRadar Risk Manager module enables the rapid and real-time detection of potential incorrect configurations within a network environment and the efficient elimination of potential data breach risks. Naturally, a prerequisite is that that the procedure becomes routine-like and is regularly applied. In many data breach cases that we investigated, there clearly would have been an opportunity to prevent the breaches that occurred. The companies were nevertheless quick to address the deficiencies that were identified. 

The efficient and rapid detection of misconfigurations is important

Here we have two different and effective solutions to prevent data breaches from occurring. However, as said, no information security solution or architecture can be considered watertight. Instead, it becomes a question of following a continuous process, the functionality of which should be monitored in real time, with immediate intervention in the case of emerging vulnerabilities and information security gaps. Using these methods, nevertheless, can be used to rapidly and efficiently prevent the occurrence of potential data breaches. Data breaches are something one should prepare for, as criminals never sleep and if the gaps are immediately visible, it makes the act of stealing far easier. 

Should IBM’s information security solutions be of interest, please feel free to contact us: 

Jouni Huttunen, Senior Security Specialist, IBM Finland
Tel: +358 50 311 22 86 / jouni.huttunen@fi.ibm.com 

Kim Rejman, Security Threat Management, IBM Finland
Tel: +358 50 317 66 44 / kim.rejman@fi.ibm.com 

 
QRadar Risk Manager Tutorials: 
White Board Intro   
Configuration Connections & Topology – Risk Manager in action (duration 10 min)  
Policies – Policy Monitor – Risk Manager in action (duration 9 min)  
More on Policies – Risk Manager in action (duration 9 min)  
Simulation of Changes (duration 14 min)