There have been dozens of mega-breaches in the past decade and over 9,000 reported breaches. Unsurprisingly, many breaches are unreported, as shown by credential dumps available on the Dark Web of which a breached organization may be completely unaware. What's going wrong? Why haven't we been able to stop these breaches?
In past years, we've seen a plethora of security compliance standards rise — PCI, ISO 2700x, NIST 800-53, HIPAA, and others — which require hundreds of checkboxes to be addressed. However, most breached organizations have been compliant at the time the breach occurred. While compliance brings many advantages for helping organizations get more secure, it isn't sufficient to prevent most breaches.
The primary reason these incidents take place so often is that, as an industry, we haven't been focusing on the root causes of breaches. From my analysis of mega-breaches and thousands of other reported breaches, there are six "technical" root causes that must be addressed, which are:
Phishing was used in many mega-breaches, including those at Yahoo (disclosed in 2016) and Anthem (disclosed in 2015). Even as recently as last year, Verizon reported in its "Data Breach Investigations Report" that phishing was still responsible for 25% of breaches.
Malware was a key tool used by the attackers in the Marriott breach, disclosed in 2018. The Marriott breach occurred because of its acquisition of Starwood Hotels, where malware was used to compromise its environment four years before the acquisition and had gone undetected for that time period.
Both first-party and third-party software vulnerabilities, respectively, were responsible for the 2018 Facebook "View Profile As…" breach and the 2017 Equifax breach. In the Facebook breach, a sophisticated set of three vulnerabilities came together to allow attackers to compromise tens of millions of access tokens for Facebook accounts. In the Equifax breach, an unpatched Apache Struts server was exploited to allow attackers to execute code of their choice on the vulnerable server, and the vulnerability was used to make an initial compromise. Although the Apache Struts vulnerability was widely publicized, there was also a SQL injection that was leveraged within the environment to exfiltrate sensitive data out of one of Equifax's databases.
Third-Party Compromise or Abuse
Third-party compromise was also a root cause in many hacks and breaches, including the recent SolarWinds hack disclosed in December 2020 in which SolarWinds was leveraged as a third party to target many of its customers, including nine government agencies and approximately 100 private sector companies. However, third-party compromise is far from new and was a root cause of the Target and JPMorgan Chase breaches in 2013 and 2014, respectively, in which a heating and air conditioning company and a website management company allowed the initial infiltration in the networks.
Unencrypted data has been a root cause in thousands of breaches in which unencrypted portable devices are lost or stolen, or physical loss of unencrypted media has taken place. When a consumer's name and a sensitive identifier about that consumer is lost or stolen and that data is unencrypted, breach notification laws are triggered and reporting to a state attorney general occurs.
Inadvertent Employee Mistakes
Finally, inadvertent employee mistakes (aside from responding to phishing emails, which is prevalent enough that it deserves its own category) is also a root cause of many breaches.
How can one address the root causes of breach? Although a full answer to that question is well beyond the scope of this article, there are some gold-standard defenses that can be employed.
A good first step is leveraging hardware security keys (such as YubiKeys), which are effective in eliminating phishing and account takeover. After Google deployed hardware security keys in 2017, it has experienced no successful phishing attacks to date even though the company is regularly targeted by nation-states. Anti-malware defenses that heavily deploy artificial intelligence have been extremely effective at detecting previously unknown ("zero-day") malware.
Putting a vulnerability management process in place that uses multiple scanners, automated ticketing that prioritizes vulnerabilities that are actively exploited in the wild, and technical verification via rescan when staff claims that vulnerabilities have been fixed will solidly protect an organization against known software vulnerabilities. Aegis is an example of a novel open source framework that supports a robust vulnerability management approach. Using observability tools can identify previously unknown vulnerabilities in new code, leveraging a modern development model in which security testing does not happen only at certain development stages, but new code is continuously monitored as it is getting developed, up through its launch into production.
It has been said that "complexity is the enemy of security." Compliance standards are complex and have hundreds of checkboxes to satisfy, but they aren't helping to prevent mega-breaches. We need to simplify if we are to succeed by focusing on the six technical root causes of breaches and deploying scientifically effective countermeasures that focus on those six specific causes.