Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/18/2021
10:00 AM
Neil Daswani
Neil Daswani
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

What CISOs Can Learn From Big Breaches: Focus on the Root Causes

Address these six technical root causes of breaches in order to keep your company safer.

There have been dozens of mega-breaches in the past decade and over 9,000 reported breaches. Unsurprisingly, many breaches are unreported, as shown by credential dumps available on the Dark Web of which a breached organization may be completely unaware. What's going wrong? Why haven't we been able to stop these breaches? 

In past years, we've seen a plethora of security compliance standards rise — PCI, ISO 2700x, NIST 800-53, HIPAA, and others — which require hundreds of checkboxes to be addressed. However, most breached organizations have been compliant at the time the breach occurred. While compliance brings many advantages for helping organizations get more secure, it isn't sufficient to prevent most breaches.

Related Content:

Hiding in Plain Sight: Protecting Enterprises from the 'New' Shadow IT

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Contemplating the Coffee Supply Chain: A Horror Story

The primary reason these incidents take place so often is that, as an industry, we haven't been focusing on the root causes of breaches. From my analysis of mega-breaches and thousands of other reported breaches, there are six "technical" root causes that must be addressed, which are:

Phishing/Account Takeover
Phishing was used in many mega-breaches, including those at Yahoo (disclosed in 2016) and Anthem (disclosed in 2015). Even as recently as last year, Verizon reported in its "Data Breach Investigations Report" that phishing was still responsible for 25% of breaches

Malware
Malware was a key tool used by the attackers in the Marriott breach, disclosed in 2018. The Marriott breach occurred because of its acquisition of Starwood Hotels, where malware was used to compromise its environment four years before the acquisition and had gone undetected for that time period.   

Software Vulnerabilities
Both first-party and third-party software vulnerabilities, respectively, were responsible for the 2018 Facebook "View Profile As…" breach and the 2017 Equifax breach. In the Facebook breach, a sophisticated set of three vulnerabilities came together to allow attackers to compromise tens of millions of access tokens for Facebook accounts. In the Equifax breach, an unpatched Apache Struts server was exploited to allow attackers to execute code of their choice on the vulnerable server, and the vulnerability was used to make an initial compromise. Although the Apache Struts vulnerability was widely publicized, there was also a SQL injection that was leveraged within the environment to exfiltrate sensitive data out of one of Equifax's databases.  

Third-Party Compromise or Abuse
Third-party compromise was also a root cause in many hacks and breaches, including the recent SolarWinds hack disclosed in December 2020 in which SolarWinds was leveraged as a third party to target many of its customers, including nine government agencies and approximately 100 private sector companies. However, third-party compromise is far from new and was a root cause of the Target and JPMorgan Chase breaches in 2013 and 2014, respectively, in which a heating and air conditioning company and a website management company allowed the initial infiltration in the networks.

Unencrypted Data
Unencrypted data has been a root cause in thousands of breaches in which unencrypted portable devices are lost or stolen, or physical loss of unencrypted media has taken place. When a consumer's name and a sensitive identifier about that consumer is lost or stolen and that data is unencrypted, breach notification laws are triggered and reporting to a state attorney general occurs. 

Inadvertent Employee Mistakes 
Finally, inadvertent employee mistakes (aside from responding to phishing emails, which is prevalent enough that it deserves its own category) is also a root cause of many breaches.  

How can one address the root causes of breach? Although a full answer to that question is well beyond the scope of this article, there are some gold-standard defenses that can be employed.

A good first step is leveraging hardware security keys (such as YubiKeys), which are effective in eliminating phishing and account takeover. After Google deployed hardware security keys in 2017, it has experienced no successful phishing attacks to date even though the company is regularly targeted by nation-states. Anti-malware defenses that heavily deploy artificial intelligence have been extremely effective at detecting previously unknown ("zero-day") malware.  

Putting a vulnerability management process in place that uses multiple scanners, automated ticketing that prioritizes vulnerabilities that are actively exploited in the wild, and technical verification via rescan when staff claims that vulnerabilities have been fixed will solidly protect an organization against known software vulnerabilities. Aegis is an example of a novel open source framework that supports a robust vulnerability management approach. Using observability tools can identify previously unknown vulnerabilities in new code, leveraging a modern development model in which security testing does not happen only at certain development stages, but new code is continuously monitored as it is getting developed, up through its launch into production.

It has been said that "complexity is the enemy of security." Compliance standards are complex and have hundreds of checkboxes to satisfy, but they aren't helping to prevent mega-breaches. We need to simplify if we are to succeed by focusing on the six technical root causes of breaches and deploying scientifically effective countermeasures that focus on those six specific causes. 

Dr. Neil Daswani is Co-Director of the Stanford Advanced Cybersecurity Program, President of Daswani Enterprises, his security consulting and training firm and author of cybersecurity book Big Breaches: Cybersecurity Lessons for Everyone. He has served in a variety of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27840
PUBLISHED: 2021-05-12
A flaw was found in samba. Spaces used in a string around a domain name (DN), while supposed to be ignored, can cause invalid DN strings with spaces to instead write a zero-byte into out-of-bounds memory, resulting in a crash. The highest threat from this vulnerability is to system availability.
CVE-2021-20202
PUBLISHED: 2021-05-12
A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to ...
CVE-2021-28649
PUBLISHED: 2021-05-12
An incorrect permission vulnerability in the product installer for Trend Micro HouseCall for Home Networks version 5.3.1179 and below could allow an attacker to escalate privileges by placing arbitrary code on a specified folder and have that code be executed by an Administrator who is running a sca...
CVE-2021-31519
PUBLISHED: 2021-05-12
An incorrect permission vulnerability in the product installer folders for Trend Micro HouseCall for Home Networks version 5.3.1179 and below could allow an attacker to escalate privileges by placing arbitrary code on a specified folder and have that code be executed by an Administrator who is runni...
CVE-2021-32607
PUBLISHED: 2021-05-12
An issue was discovered in Smartstore (aka SmartStoreNET) through 4.1.1. Views/PrivateMessages/View.cshtml does not call HtmlUtils.SanitizeHtml on a private message.