What those new to security can learn from the biggest breaches of all time

While no organization wants to be in the headlines for a breach, there is much to learn from those who have been the victim of an attack.

What those new to security can learn from the biggest breaches of all time
Credit: Martin Fisch

Given the number of breaches that happen on a daily occurrence, I often feel sorry for the big named corporations that find their names in the headlines -- not only having had a breach but also as being held up as a constant example of the implications of a breach. 

Unfortunately, there is much for security professionals to learn from those companies that have been attacked, which is the reason for OPSWAT’s recent blog post on the eight largest breaches of all time.  To explain to my readers how they can better avoid being the victim of an attack, Benny Czarny, CEO, OPSWAT spoke from his 20 years of expertise in the computer and network security industry about creating solutions within encryption, network operations, and security vulnerabilities detection fields.

Czarny’s breadth of experience spans roles as a programmer, team leader, and engineering manager in several companies before founding OPSWAT, a San Francisco based software company that provides solutions to secure and manage IT infrastructure, in 2002.

“The criminals are out there and they understand that data can get them financial or other gains,” said Czarny. Part of the problem in building a strong defense is that security teams don’t always know what the criminals are after. “There are several things that criminals are want—credit cards, pictures, movies, sensitive documents, private records,” said Czarny. 

The prominence of criminal acts has been broader and more sophisticated. Some bad guys are stealing and publishing data because they want to cause shame to their victims. Others are after different targets. Czarny said, “What we try to do is to raise concern and quantify what is the potential risk. What are the potential damages caused by the attacks?”

The reality is that despite these eight major breaches, “Many other breaches that have been happening didn’t make it to the news because security teams caught it before it became disastrous.”

Benny Czarny, CEO, OPSWAT

The goal with most retail breaches is stealing credit card numbers so that the criminals can use them to buy anything online or transfer money or steal directly from the banks. The gain is obvious, and the way that many have been accomplished was through malware. Czarny said that security professionals need to ask, “What is the target?  What are the weaker points? Because criminals are leveraging the weaker points to implement the malware.” 

The goal with breaches to major entertainment corporations is quite different.  “The goal with Sony was to steal the videos and leak them to create financial damage to Sony as either political gain or for other reasons (revenge).  The intent was to create damage specifically to Sony for publishing a specific video,” Czarny said. 

Malware is often the culprit, and many times the attack is so sophisticated because the attacker knows the security system. They spend so much time studying and collecting intelligence on a target organization. “They designed the malware to send traffic through the security system that seems to be legitimate,” Czarny said.

Examining the network and deep inspection on the network is critical to being able to detect infections. Czarny said, “Look deeper into the network requires much more detailed work which involves investigation.” 

For many enterprises though, there is conflict in not recognizing that security is a philosophical concept. Czarny said, “I am doing two things—I’m the alarm system and the police. I’m the alarm system in the house and I’m the local police.”

In trying to create a good alarm system for the business, Czarny said, “Stop thinking how to protect the business from a cyber-attack and from the cyber security threat.  Instead, think about the business assets. Prioritize what needs to be protected, then think about the threat vectors.”

From global architecture to the more specific fields such as just firewall or firewall administration or IPS, antimalware, malware research, the entire security team needs to be thinking about protecting the business assets. 

For SMBs, though, an entire security team might not exist. Czarny said, “Cloud solutions might be a way to mitigate some of the risk. That’s something that is helping. There are lots of security companies targeting those SMBs, understanding that they might not have a team or may not be able to come up with solutions.”

Never to be underestimated or exhausted is the need for educating end users on using a computer. “There are lessons on driving a car but not on using a computer. People should have education that gives them a basic understanding of cybersecurity that protects anybody,” Czarny said.

Cybersecurity market research: Top 15 statistics for 2017