Trusted Internet Blog

Thoughts, Guidance, Musings

What is a Data Breach?

Posted by Jeff Stutzman, Founder | May 11, 2019, 1:38:38 PM

What is a data breach?

According to CBR online, 4.5 billion records were compromised in data breaches within the first 6 months of 2018. In comparison, there are merely about 7.5 billion people living on the planet.

What is a data breach and why should you care about it?

A data breach refers to the act of obtaining someone’s sensitive information from the internet.

This information could be your passwords, sensitive media, PIN, credit card numbers, license numbers, software access to your company; virtually any piece of information that you’ve stored on the internet.

This information is then used for blackmailing purposes or sold on the dark web.

Data breaches occur on almost a daily basis. Last year hackmegeddon (one of my favorite stats sites) reported 1337 compromises.  This represents a very small number compared to the global dataset, but represents a strong enough sample for discussion purposes. 

What exactly is a data breach?  Think Equifax, OPM, Target, and hundreds (thousands) more just like them that never hit the news. A data breach occurs when a cyber-criminal successfully breaches a data source and extracts information --privacy information, identities, intellectual property, other.  It can  happen physically by accessing a computer directly, or by using the net, bypassing security remotely, and to stealing what's desired.  "Hacking" into the computer remotely is largely the preferred choice, although insider threat --think WikiLeaks or Edward Snowden, are not uncommon. 

Figure 1 shows the volume of reports to Hackmegeddon during 2018:

 Hackmegeddon 2018

What does a data breach look like?

Figure 2 below is one record identified by Wapack Labs in a keylogger sinkhole. What's a sinkhole? That's a conversation for another time. For now, you can see this keylogger stole the user name and password (I redacted both for this blog). The keylogger stole the email account and sent it to an attacker email account (labeled 'attacker_server'). Wapack Labs has recorded over 60,000 stolen accounts in the last 90 days, resulting from keyloggers used to infect unsuspecting users. 

One record_LI

Are you a victim? If you'd like to search for your domain or IP address, check Threat Recon will allow you to see if you've been infected with information stealing botnets. It's one of my favorite tools. My second favorite is the full dataset in the backend, but Threat Recon is easy.

Who's targeted?

I'm going to turn again to Hackmegeddon. The overwhelmingly favored targets are individuals. Why? They're easy. Old computers, old operating systems, no anti-virus, no security in the homes (your cable box isn't security.. again, trust me. I'll post another blog on this later).

Hackmegeddon-1-2018Data Breaches come in all shapes and sizes. We're going to cover "What you can do about it" for both home users and businesses.


How do data breaches occur?

Throughout the time that you’re surfing the internet, you’re leaving bits of your identity behind in the form of digital footprints. Usernames, passwords, unencrypted communications with websites, invisible tools loaded on your computers, phishing, spam, adware tools are all used to steal information about you.

Companies lose data to successful phishing attacks, poor authentication management (i.e.: simple passwords), lack of essential system maintenance (keeping patches up to date), or simply, or not paying attention to even the most basic security requirements for the information they store.

At the more advanced levels, state-sponsored data breaches occur when intellectual property is stolen for economic or government-sponsored espionage. Did you know that most countries in the world employ cyber espionage for commercial advantage? The second oldest profession in time, used for competitive advantage? Say it isn’t so!

Data breaches are far more common than you’d think.

Many data breaches are in the news. Most are not.

Imagine that you subscribe to a website via email. When you subscribe, if the site doesn’t have the “padlock” symbol showing it as encrypted, there’s a real possibility that the username and password that you used to subscribe were copied somewhere along the way, in one of the servers that you traversed on you way to that favorite website. It’s as simple as that.

Have you ever noticed that as you surf the internet, you often click on a page and get redirected to an irritatingly suspicious website? Those irritating websites might be downloading spyware, keyloggers, or information stealers to your computer.

On the company side of the story, I had an old boss –a smart old guy –who used to tell our government customers “There are 400 things that your security guys need to do every single minute of every single day. If you miss even one, you’ll be compromised.” Is it true? Pretty much. It’s the reason information security is hard. This stuff is as automated. In the time you take to grab a coffee, your network can be scanned --yep, even the big networks. That scan might show what's online right now, or it might show what's online, plus what's open for exploitation --and then get compromised... all in a matter of minutes. Everything from computers to physicals security surveillance systems to nuclear power plants. They all have bugs. Many are unknown. Automated tools can find them, and exploit them quickly.

Equifax got hacked because they missed deploying a patch, and follow-up vulnerability scans didn’t show it. Target got hacked because of their unprotected heating, ventilation, and A/C (HVAC) controller system was connected to their company network. 

What about advanced persistent threat? I participated in hacks where entire virtual networks were put into slack space in our own infrastructure, and within minutes after changing a firewall rule, we’d find it turned back.

Mobile phones, pads, cloud computing, virtualization and a lack of basic security knowledge –and now the lack of ability for most people to hire qualified talent have all contributed to the daily barrage of data breach stories in the New York Times.

IBM released a report in 2018 which stated that the average cost of a data breach to a company is a staggering $3.86 mil.  Insurance companies are requiring more and more security, and in fact, may not pay claims if you’re hacked and have taken security lightly.  Unless you have that sort of cash lying in the drawer, you’d want to avoid a data breach altogether.

Here are a few things you need to know

Nobody says this is easy, but these are common ways companies get hacked, and users lose their identities.

  • STOP USING PASSWORDS - According to Trace Security, 81% of company data breaches occur just because of weak passwords. By having an insecure password, you just make it that much easier for a hacker to get a hold of all your data. Two-factor authentication is a requirement. Most e-commerce websites now offer some kind of two-step login. There should be no excuse for not using it. Almost every bank account that I use has a two-step process for logging in –enter a username/password and then receive a code on my phone. Is it perfect? No. Is it good? Absolutely. Should we demand it of your own bank? Yes.
  • Use an email system that scans for phishing and spam - Retruster reports that 9 out of every 10 data breaches occur through this method. Phishing is usually conducted through email where the sender asks for your credit card, PIN or some sort of other information as part of a digital scam. If you’re a home user of web-based email, use one that protects you from phishing and spam. Google, Office 365, and iCloud all have mechanisms for scanning emails for badness. Yahoo, AOL, and many others lack these basic features. Be leery. Smaller email providers generally do nothing to protect you. Stop using them.
  • Use anti-virus or a robust endpoint client - Malware is short for “malicious software” which is often automatically downloaded on your Operating System as you surf through the internet. Once downloaded, malware could potentially have access to all the information on your device. Many antivirus companies simply don’t cut it.  Sophos, ESET, FortiClient are good options. There are some strong corporate endpoint options -Cylance, Crowdstrike Falcon, Endgame, and Sophos InterceptX; they’d kill me if they knew I said that –they’re actually much more but for the sake of explanation, think of these things as next-generation AV offering remote troubleshooting tools, the ability to kill off malware during installation, and on-the-fly forensics.
  • Turn on auto-update - Ever noticed how apps and Operating Systems release an updated software version after every few months? These updates are often stronger security systems to fix vulnerabilities found. From Patch Tuesday for Windows to AT&T updates on my own mobile, as much as I hate the interruption during my day, I allow auto-updates and take a coffee break while they load. Companies generally have enterprise processes for patch management and updates. Some are better than others, but patching is a requirement for safety.

People might tell you that avoiding a data breach is as simple as having strengthened and varying passwords for your digital accounts, but hackers are smarter than you’d think but when data breaches can occur in companies like T-mobile, Quora, and Google –all within the same year, then let’s say that avoiding data breaches on your own isn’t much of choice.

What you need is to act and install high-tech systems for your online security.  This often becomes a make | buy decision, and it’s not easy –until you’ve had your crisis. Then it becomes easy.

Need more help?

Need more to read? 




Topics: Information Security, Case Studies, trojan, data breach, hacker, equifax, keylogger, Threat Recon, OPM, Target

Written by Jeff Stutzman, Founder

Mr. Stutzman personally operates as the CISO to the head coach of an NBA team, a $3.5 billion Houston oil and gas engineering and services company, a northern Virginia physical security company, and Wall Street CEO while supervising Virtual CISOs responsible for protecting executive homes and their companies around the world. He has been cited in the Wall Street Journal, Wired Magazine, NH Public Radio, and numerous trade publications. He holds a BS from Excelsior College, an MBA from Worcester Polytechnic Institute, and is a Harvard Kennedy School Senior Executive Fellow.