The fact is no enterprise or individual is immune to a breach. What really matters is, did they have an intrusion but then prevent a data loss? Any company can and will likely have an unauthorized intrusion, but did they have the right prevention, detection and response processes in place to stop a loss?
A few years back Gartner reported that prevention is Futile, that we must focus on detection and reaction. This is because there are simply too many ways in to prevent 100% of intrusions.
According to the 2017 Ponemon Cost of Data Breach study, the global average cost of a data breach is $3.62 million. Despite all the new and innovative Tools and Technologies Data Breaches still happen.
As my ISSA colleague Ira Winkler and his coauthor Araceli Treu Gomes point out in their latest book Advanced Persistent Security, most so-called advanced attacks are not really so advanced: “when you look at most of the attacks that have been proclaimed sophisticated by the victims or the consultants who pay to speak for them you see insufficient protection combined with insufficient detection capabilities.”
The top three data breaches of 2017 were:
- Equifax, September 7, 2017: Equifax, one of the three largest credit agencies in the U.S., suffered a breach that may affect 143 million consumers. Due to the sensitivity of data stolen, including Social Security numbers and driver’s license numbers, this is being called one of the worst breaches of all time. Hackers were able to gain access to the company’s system from mid-May to July by exploiting a weak point in website software. The breach was discovered by Equifax on July 29, 2017 and at that time, they sought assistance from an outside forensics firm. Other compromised data is said to include full names, addresses, dates of birth, credit card numbers, and other personal information.
- Verizon, July 13, 2017: A reported 14 million Verizon subscribers may have been affected by a data breach; this may include anyone who contacted Verizon customer service in the past six months. These records were held on a server that was controlled by Israel based Nice Systems. The data breach was discovered by Chris Vickery, who is with the security firm, UpGuard. He informed Verizon of the data exposure in late-June, and it took more than a week to secure the breached data. The actual data that was obtained were log files that became generated when customers of Verizon contacted the company via phone.
- Kmart, May 31, 2017: Sears Holdings, the parent company of Kmart, revealed that Kmart’s store payment systems were infected with malware, but Kmart.com and Sears shoppers were not impacted by this breach. The malicious code has been removed, but the company has not shared how long the payment system was under attack and how many stores were affected. No personal identifying information was compromised, but certain credit card numbers may have been.
And on Oct 3, 2017 we learned that Yahoo announced that the huge data breach in August 2013 affected every user on its service — that’s all three billion user accounts and up from the initial one billion figure Yahoo initially reported.
These data breach lists always elicit a “gee whiz, that’s amazing,” response. But what really matters is: Why? Why was there a breach with 1 million or even 100 records? What was the root cause?
I always like to cite the Verizon Data Breach Investigations report which states the following for 2017:
- 75% of breaches were perpetrated by outsiders
- 62% featured hacking
- 81 % leveraged stolen or weak passwords
- 51% included malware
- 24% of the victims were financial institutions
- 66% of malware was distributed via infected email attachments
- 61% of the data breach victims in this year’s report are businesses with under 1,000 employees
- 95% of phishing attacks that led to a breach were followed by some sort of software installation
So, computer security is very complex and always involves the human element.
We still see that many intrusions start with malicious attachments aimed at the human element. In “The security perimeter needs to use one of its most crucial resources: human sensors,” I stressed the fact that behind every online connected computer is a human, collecting intelligence about the pop ups, the emails, the attachments, the system performance.
People are the users of all this technology and it’s often their daily decisions that can make a big difference. Should I share this file via email without encryption? Should I encrypt this data on my local drive? Is it being backed up? What is the data classification of the data I work with daily? Is that email from a company employee? Why are they asking for this information? Why did they send a Zip or Exe file? All red flags for scammers and cyber criminals.
I want to share a few great resources with you now that were worth mentioning. I recently met Ted Koppel at a security conference, he is a gifted journalist something that’s rare in today’s world, he spoke about how long it took to do a story of the Viet Nam war during the war. They filmed the story and filed the report. It was not live. They had to drive up a mountain road and get the film to the production crew. It had to be flown to the states, it had to be edited. None of this instant, no chance of instant online fake news here, where they post to get immediate gratification and learn how wrong they were later. Anyway I read Teds book “Lights Out” This is an excellent book on just how vulnerable our Power Grid is. It’s a fascinating read written by one of the worlds most gifted journalists. You don’t have to be a Technology expert to read and love this book.
I’m also now reading Thank You for Being Late, by Thomas Friedman, a fascinating book about just how fast technology is moving. It really started taking off in 2007. The book discusses the evolution of Airbnb and Uber, two highly successful companies born in the past 10 years.
Airbnb, founded in 2008, is one of the world’s biggest hotels – and they own no hotels. The same for Uber. Founded in 2009, the world’s largest cab company owns no cabs! The book addresses these fast-paced technological changes and how we might begin to cope with it. The iPhone started in 2007 as well! Then look at what Google did with Android!
This is all amazing to me as I started out in 1982 with a Sinclair Z80 computer kit for $99. I added a 300-baud modem and a green screen monitor, and I was online without a browser then. It used cassettes to load programs.
I give my father credit for my career, he was an electronic engineer for RCA, for the space program in 1958. He inspired me to get into technology at the age of 9. I would stumble into his garage filled with piles of electronic devices, components and amplifiers. Ted Grachis passed away in 1997, but the memories he left me that later inspired me into my career in technology is priceless.
And finally, I’m reading Advanced Persistent Security by Ira Winkler and Araceli Treu Gomes. Most of are aware of advanced persistent threats. Well, this book is the answer to that problem…and much more. It provides insights from these two seasoned professionals on advanced counter measures for reducing the risk of a data breach or any data loss. We know there is no such thing as 100% security but with protective, detective and reaction, you’re highly likely to stop the exfiltration of valuable company assets.
Here’s wishing all my readers a restful, joyful, peaceful holiday season.