Data is often cited as the most important asset an organization holds. It can be argued that data, in its many varied forms, constitutes the quintessential element an organization needs to survive and thrive. We are not talking just about data that is directly related to money, such as financial data or banking details, but also data that falls under the category of intellectual property (especially trade secrets).
More recently, the General Data Protection Regulation (GDPR) and the increase in the 'dissuasive' nature of the fines that can be imposed under the regulation has resulted in organizations paying more attention to the way they handle personal data and keep it secure.
However, it is not an easy task given the relative ease to perform some of the attacks and the disproportionate effort that organizations require to establish and maintain a healthy data protection scheme.
Getting hold of personal data is high on an attackers' list of priorities due to its versatility: a malicious actor can use personal data to either exploit it directly or as the base to launch further attacks. Take a look at the four uses of PII by attackers below:
Lateral escalation to gain access to an account with higher administrative privileges, social engineering, and phishing attacks rely heavily on finding as much personal data as possible on the victim or individuals associated with the victim.
Depending on the data elements involved and the total volume present, this can be quite a lucrative avenue. Typically sold in bulk, a single set of credit card data can fetch $14-30.
Attackers can use the data stolen or illegally purchased for identity fraud, oftentimes opening bank accounts under the name of the victim, or forging driving licences, passports and other official documents. Here, the profit for the attacker raises considerably, ranging from hundreds to even thousands of dollars per forged document.
One of the attack trends in recent years has been related to ransomware, where PII is encrypted by the attacker, who then demands a ransom to release the key. Without this key, data is rendered unreadable and to all effects lost to the organization. Paying the ransom is no guarantee the attacker will be faithful to their word and often ends up being an extra cost associated with the extortion. Then there is the issue of the money given to the attacker that may well fund other forms of crime.
Traditionally, the classification of threat actors is made with motivation and skill level as the main two parameters. However, for the sake of simplicity, we can place them in the two categories below:
Either infiltrated for malicious purposes, or disgruntled employees seeking to right some perceived wrong. They have gained insider knowledge on operations, and could form part of the IT team, which allows them access to systems and enough permissions to create serious damage. Being trusted within the organization means their actions may come up as a surprise, but often too late.
Externals form the majority of attackers. The distinguishing attribute is that they do not possess authentication credentials, or at least not any gained lawfully. Cyber criminals tend to commit to a life of crime for financial gain. They can create corporations, functioning like a (legitimate) enterprise would: with a CEO, HR, and even a help desk, operating from the Dark Web, and physically located in jurisdictions where cybercrime is not a top-notch concern.
Broadly speaking, both data controllers and data processors are required to implement appropriate technical and organizational measures to protect the personal data they handle, be it from their customers, employees, or suppliers. Where your defensive stance proves inadequate, the repercussions can be quite severe, with legal and regulatory, financial and reputational effects that can alter the viability of your firm in the long run.
Experiencing a data breach is a distressing and resource-intensive event, with the need to notify the relevant supervisory authority and possibly all customers affected. A side effect of a data breach is the impact on the customer base due to reputational loss, with long, lingering effects even after the incident is adequately contained and mitigated.
As attacks are very diverse, the objective is to apply a multi-layered approach as the first line of prevention, where what is not avoided is at least detected as promptly as possible.
Some of the common ways to compromise systems as a prelude to a data breach include:
Here we are talking about:
If an attacker can easily guess or crack passwords, then the accounts under such a system cannot be considered secure. To reduce this risk, password management tools can be deployed in the network, as well as multi-factor authentication (using tokens produced by an app or a separate, dedicated device). Frequent account reviews will ensure accounts are not being created without a business justification, and that no dormant accounts exist.
Limit these to what is strictly necessary and always use whole disk encryption (e.g. Bitlocker).
Email addresses, telephone numbers, the geolocation of your staff members, and much more can be gathered by potential attackers through social media. An effective way is to have a department to be in charge of all the content that gets posted, with strict guidelines to avoid leaking personal data inadvertently.
The classic example is an email sent to some person or organization in error, often due to the auto-fill feature, where several entities have similar names. According to analysis commissioned by the ICO in the UK, human error caused 90% of cyber data breaches in 2019. User education is critical here.
I once had a client that sought assistance with a strange case of a perceived data breach. They could not find indicators of compromise that would lead to the root cause, but were aware customers were raising complaints and raising concerns with the helpdesk asking whether their personal data was being sold. In fact, many customers had reportedly been contacted by third-parties with whom my client was not affiliated, trying to gain their custom towards some purchase.
I tried to ascertain the common elements in those queries, finding that all customers affected formed part of a sub-segment within the customer base. I checked network logs, cookies, pixel technologies, SIEM records… but nothing. The next step was to review account settings as it could have been a case of internal attack. To my surprise, everything seemed fine until I found the account of a former employee who had left a few months ago, but his account had not been disabled. The IT team were adamant they had disabled the account on the same day the person had left the company, as per their JML (Joiners, Movers, Leavers) policy.
With a little more investigation, it became apparent the former employee had exploited a flaw in the process: one day after he left he had phoned the helpdesk asking them to enable his account, claiming he had forgotten his password and the system had enacted the lock-out policy, which needed manual override. Helpdesk sent this request to IT, and the account was enabled, granting the now illegitimate user access to resources, including customer data.
It was clear here that the fault was in the lack of communication: helpdesk had followed their process, relying on the fact that IT would pick up any issues, whereas IT assumed the request was genuine as it came from helpdesk, who would pick any issues.
This example shows how security truly is an orchestrated effort if an organization is to withstand a motivated attacker.
Maintaining security across an organization and protecting the most precious data assets require an understanding of the attackers, what they are trying to accomplish and how. It takes a joint and rigorous effort from part of all employees to keep things afloat.