Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Vulnerability

2/14/2019
01:53 PM
Marzena Fuller
Marzena Fuller
Marzena Fuller
50%
50%

Lessons Learned From 2018 Security Breaches

It's better to hear about a data breach internally than by a security researcher who happens to discover a publicly exposed asset or confidential data for sale on a dark web.

The top five security breaches discovered in 2018 affected over 2 billion users' records (Aadhar -- 1.1B, Marriot -- 500M, Exactis -- 340M, Twitter -- 330M, MyFitnessPal -- 150M) and included highly sensitive data -- from names and DOBs to credit card and passport numbers. So what have we learned about the categories of companies targeted, the data targeted, data breach prevention, early detection, and what should we do differently in 2019?

First, we should make a distinction between data breaches that resulted from intentional and targeted actions by the hackers and data breaches that resulted from opportunistic exploits by automated security bots. In the case of the former, companies that process and store large volumes of personal data, payment data and healthcare data were the primary target for hackers in 2018 and will remain the primary target in 2019. Key vendors used by these companies will be targeted, as well. This data can be sold on the dark web and according to Verizon's DBIR 2018 report, 76% of hackers were motivated by financial gain. In the case of the latter, any company that makes its assets discoverable on the Internet without proper authentication will likely suffer a data breach.

While hackers can use sophisticated tools and obscure attack vectors, the disclosed root causes of 2018 data breaches boil down to not following secure coding and secure cloud configurations best practices and can be categorized as follows:

  • Publicly accessible assets -- making databases, kubernetes etcd databases, servers and POS accessible on the Internet andnot requiring any authentication or relying on password-based authentication. These assets are discoverable by anyone with a simple Shodan search and will be exploited.
  • API security -- not requiring authentication or using Basic Authentication; not implementing rate limiting
  • Cloud misconfigurations -- making S3 buckets with confidential data public
  • Encryption -- not encrypting data in transit, using weak ciphers
  • Web application security -- not implementing input validation
  • Using components with vulnerabilities

Given commonalities between the root causes (not following fundamental security best practices), a conclusion can be drawn that many companies still do not prioritize and do not invest in security.

First, security must have board-level visibility, support from the entire executive team, and adequate headcount and budget. Once these strategic requirements are met the following processes should be implemented to address the categories of data breach root causes enumerated above.

  • Secure development lifecycle where engineering and security work together towards the same objective.
  • Threat modeling to identify key assets, threats, attack vectors and possible mitigations
  • An architecture review board that includes security design reviews against agreed-upon security requirements and best practices
  • OWASP secure coding practices and relevant checklists
  • Static and dynamic code analysis
  • Frequent pen tests by an independent third party

While no company wants to discover that it has suffered a data breach, it is far more preferable to make such a discovery via internal means than to be informed about the breach by a security researcher who happened to discover a publicly exposed asset or confidential data for sale on a dark web. Implementing the Zero Trust Security model with visibility into exactly who is accessing the network, from where and when is the answer.

— Marzena Fuller is the chief security officer at SignalFx.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...