Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



01:53 PM
Marzena Fuller
Marzena Fuller
Marzena Fuller

Lessons Learned From 2018 Security Breaches

It's better to hear about a data breach internally than by a security researcher who happens to discover a publicly exposed asset or confidential data for sale on a dark web.

The top five security breaches discovered in 2018 affected over 2 billion users' records (Aadhar -- 1.1B, Marriot -- 500M, Exactis -- 340M, Twitter -- 330M, MyFitnessPal -- 150M) and included highly sensitive data -- from names and DOBs to credit card and passport numbers. So what have we learned about the categories of companies targeted, the data targeted, data breach prevention, early detection, and what should we do differently in 2019?

First, we should make a distinction between data breaches that resulted from intentional and targeted actions by the hackers and data breaches that resulted from opportunistic exploits by automated security bots. In the case of the former, companies that process and store large volumes of personal data, payment data and healthcare data were the primary target for hackers in 2018 and will remain the primary target in 2019. Key vendors used by these companies will be targeted, as well. This data can be sold on the dark web and according to Verizon's DBIR 2018 report, 76% of hackers were motivated by financial gain. In the case of the latter, any company that makes its assets discoverable on the Internet without proper authentication will likely suffer a data breach.

While hackers can use sophisticated tools and obscure attack vectors, the disclosed root causes of 2018 data breaches boil down to not following secure coding and secure cloud configurations best practices and can be categorized as follows:

  • Publicly accessible assets -- making databases, kubernetes etcd databases, servers and POS accessible on the Internet andnot requiring any authentication or relying on password-based authentication. These assets are discoverable by anyone with a simple Shodan search and will be exploited.
  • API security -- not requiring authentication or using Basic Authentication; not implementing rate limiting
  • Cloud misconfigurations -- making S3 buckets with confidential data public
  • Encryption -- not encrypting data in transit, using weak ciphers
  • Web application security -- not implementing input validation
  • Using components with vulnerabilities

Given commonalities between the root causes (not following fundamental security best practices), a conclusion can be drawn that many companies still do not prioritize and do not invest in security.

First, security must have board-level visibility, support from the entire executive team, and adequate headcount and budget. Once these strategic requirements are met the following processes should be implemented to address the categories of data breach root causes enumerated above.

  • Secure development lifecycle where engineering and security work together towards the same objective.
  • Threat modeling to identify key assets, threats, attack vectors and possible mitigations
  • An architecture review board that includes security design reviews against agreed-upon security requirements and best practices
  • OWASP secure coding practices and relevant checklists
  • Static and dynamic code analysis
  • Frequent pen tests by an independent third party

While no company wants to discover that it has suffered a data breach, it is far more preferable to make such a discovery via internal means than to be informed about the breach by a security researcher who happened to discover a publicly exposed asset or confidential data for sale on a dark web. Implementing the Zero Trust Security model with visibility into exactly who is accessing the network, from where and when is the answer.

— Marzena Fuller is the chief security officer at SignalFx.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.