Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Vulnerability

2/14/2019
01:53 PM
Marzena Fuller
Marzena Fuller
Marzena Fuller
50%
50%

Lessons Learned From 2018 Security Breaches

It's better to hear about a data breach internally than by a security researcher who happens to discover a publicly exposed asset or confidential data for sale on a dark web.

The top five security breaches discovered in 2018 affected over 2 billion users' records (Aadhar -- 1.1B, Marriot -- 500M, Exactis -- 340M, Twitter -- 330M, MyFitnessPal -- 150M) and included highly sensitive data -- from names and DOBs to credit card and passport numbers. So what have we learned about the categories of companies targeted, the data targeted, data breach prevention, early detection, and what should we do differently in 2019?

First, we should make a distinction between data breaches that resulted from intentional and targeted actions by the hackers and data breaches that resulted from opportunistic exploits by automated security bots. In the case of the former, companies that process and store large volumes of personal data, payment data and healthcare data were the primary target for hackers in 2018 and will remain the primary target in 2019. Key vendors used by these companies will be targeted, as well. This data can be sold on the dark web and according to Verizon's DBIR 2018 report, 76% of hackers were motivated by financial gain. In the case of the latter, any company that makes its assets discoverable on the Internet without proper authentication will likely suffer a data breach.

While hackers can use sophisticated tools and obscure attack vectors, the disclosed root causes of 2018 data breaches boil down to not following secure coding and secure cloud configurations best practices and can be categorized as follows:

  • Publicly accessible assets -- making databases, kubernetes etcd databases, servers and POS accessible on the Internet andnot requiring any authentication or relying on password-based authentication. These assets are discoverable by anyone with a simple Shodan search and will be exploited.
  • API security -- not requiring authentication or using Basic Authentication; not implementing rate limiting
  • Cloud misconfigurations -- making S3 buckets with confidential data public
  • Encryption -- not encrypting data in transit, using weak ciphers
  • Web application security -- not implementing input validation
  • Using components with vulnerabilities

Given commonalities between the root causes (not following fundamental security best practices), a conclusion can be drawn that many companies still do not prioritize and do not invest in security.

First, security must have board-level visibility, support from the entire executive team, and adequate headcount and budget. Once these strategic requirements are met the following processes should be implemented to address the categories of data breach root causes enumerated above.

  • Secure development lifecycle where engineering and security work together towards the same objective.
  • Threat modeling to identify key assets, threats, attack vectors and possible mitigations
  • An architecture review board that includes security design reviews against agreed-upon security requirements and best practices
  • OWASP secure coding practices and relevant checklists
  • Static and dynamic code analysis
  • Frequent pen tests by an independent third party

While no company wants to discover that it has suffered a data breach, it is far more preferable to make such a discovery via internal means than to be informed about the breach by a security researcher who happened to discover a publicly exposed asset or confidential data for sale on a dark web. Implementing the Zero Trust Security model with visibility into exactly who is accessing the network, from where and when is the answer.

— Marzena Fuller is the chief security officer at SignalFx.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5604
PUBLISHED: 2020-07-09
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remoto attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
CVE-2020-5974
PUBLISHED: 2020-07-08
NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
CVE-2020-15072
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
CVE-2020-15073
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
CVE-2020-2034
PUBLISHED: 2020-07-08
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect...