Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Neil Daswani
Neil Daswani
Connect Directly
E-Mail vvv

What CISOs Can Learn From Big Breaches: Focus on the Root Causes

Address these six technical root causes of breaches in order to keep your company safer.

There have been dozens of mega-breaches in the past decade and over 9,000 reported breaches. Unsurprisingly, many breaches are unreported, as shown by credential dumps available on the Dark Web of which a breached organization may be completely unaware. What's going wrong? Why haven't we been able to stop these breaches? 

In past years, we've seen a plethora of security compliance standards rise — PCI, ISO 2700x, NIST 800-53, HIPAA, and others — which require hundreds of checkboxes to be addressed. However, most breached organizations have been compliant at the time the breach occurred. While compliance brings many advantages for helping organizations get more secure, it isn't sufficient to prevent most breaches.

Related Content:

Hiding in Plain Sight: Protecting Enterprises from the 'New' Shadow IT

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Contemplating the Coffee Supply Chain: A Horror Story

The primary reason these incidents take place so often is that, as an industry, we haven't been focusing on the root causes of breaches. From my analysis of mega-breaches and thousands of other reported breaches, there are six "technical" root causes that must be addressed, which are:

Phishing/Account Takeover
Phishing was used in many mega-breaches, including those at Yahoo (disclosed in 2016) and Anthem (disclosed in 2015). Even as recently as last year, Verizon reported in its "Data Breach Investigations Report" that phishing was still responsible for 25% of breaches

Malware was a key tool used by the attackers in the Marriott breach, disclosed in 2018. The Marriott breach occurred because of its acquisition of Starwood Hotels, where malware was used to compromise its environment four years before the acquisition and had gone undetected for that time period.   

Software Vulnerabilities
Both first-party and third-party software vulnerabilities, respectively, were responsible for the 2018 Facebook "View Profile As…" breach and the 2017 Equifax breach. In the Facebook breach, a sophisticated set of three vulnerabilities came together to allow attackers to compromise tens of millions of access tokens for Facebook accounts. In the Equifax breach, an unpatched Apache Struts server was exploited to allow attackers to execute code of their choice on the vulnerable server, and the vulnerability was used to make an initial compromise. Although the Apache Struts vulnerability was widely publicized, there was also a SQL injection that was leveraged within the environment to exfiltrate sensitive data out of one of Equifax's databases.  

Third-Party Compromise or Abuse
Third-party compromise was also a root cause in many hacks and breaches, including the recent SolarWinds hack disclosed in December 2020 in which SolarWinds was leveraged as a third party to target many of its customers, including nine government agencies and approximately 100 private sector companies. However, third-party compromise is far from new and was a root cause of the Target and JPMorgan Chase breaches in 2013 and 2014, respectively, in which a heating and air conditioning company and a website management company allowed the initial infiltration in the networks.

Unencrypted Data
Unencrypted data has been a root cause in thousands of breaches in which unencrypted portable devices are lost or stolen, or physical loss of unencrypted media has taken place. When a consumer's name and a sensitive identifier about that consumer is lost or stolen and that data is unencrypted, breach notification laws are triggered and reporting to a state attorney general occurs. 

Inadvertent Employee Mistakes 
Finally, inadvertent employee mistakes (aside from responding to phishing emails, which is prevalent enough that it deserves its own category) is also a root cause of many breaches.  

How can one address the root causes of breach? Although a full answer to that question is well beyond the scope of this article, there are some gold-standard defenses that can be employed.

A good first step is leveraging hardware security keys (such as YubiKeys), which are effective in eliminating phishing and account takeover. After Google deployed hardware security keys in 2017, it has experienced no successful phishing attacks to date even though the company is regularly targeted by nation-states. Anti-malware defenses that heavily deploy artificial intelligence have been extremely effective at detecting previously unknown ("zero-day") malware.  

Putting a vulnerability management process in place that uses multiple scanners, automated ticketing that prioritizes vulnerabilities that are actively exploited in the wild, and technical verification via rescan when staff claims that vulnerabilities have been fixed will solidly protect an organization against known software vulnerabilities. Aegis is an example of a novel open source framework that supports a robust vulnerability management approach. Using observability tools can identify previously unknown vulnerabilities in new code, leveraging a modern development model in which security testing does not happen only at certain development stages, but new code is continuously monitored as it is getting developed, up through its launch into production.

It has been said that "complexity is the enemy of security." Compliance standards are complex and have hundreds of checkboxes to satisfy, but they aren't helping to prevent mega-breaches. We need to simplify if we are to succeed by focusing on the six technical root causes of breaches and deploying scientifically effective countermeasures that focus on those six specific causes. 

Dr. Neil Daswani is Co-Director of the Stanford Advanced Cybersecurity Program, President of Daswani Enterprises, his security consulting and training firm and author of cybersecurity book Big Breaches: Cybersecurity Lessons for Everyone. He has served in a variety of ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-19
Adobe Robohelp version 2020.0.3 (and earlier) is affected by an uncontrolled search path element vulnerability that could lead to privilege escalation. An attacker with permissions to write to the file system could leverage this vulnerability to escalate privileges.
PUBLISHED: 2021-04-19
Innorix Web-Based File Transfer Solution versuibs prior to and including contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the internal method. A remote attacker could induce a user to access a crafted web page, causing damage...
PUBLISHED: 2021-04-19
XMB is vulnerable to cross-site scripting (XSS) due to inadequate filtering of BBCode input. This bug affects all versions of XMB. All XMB installations must be updated to versions or
PUBLISHED: 2021-04-18
This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
PUBLISHED: 2021-04-18
This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.