Lessons Learned: The Cautionary Tales Of Enterprise Cyber-Attacks
Quick Tips And Strategies For Thwarting A Data Breach
Reflecting on the past 12 months of enterprise cyber security incidents, there was no single attack vector and no one-size-fits-all security solution. We compiled the most common attacks faced by organizations as well as the tips, tricks and strategies for thwarting a data beach.
Strengthening Security Against Credential Stuffing Attacks
Millions of user logins are available for purchase on the dark web. Not only do these collections represent recent data breaches, they contain logins from older sites that many users are no longer visiting but continue to have an active account. Credential stuffing is a serious and growing problem for high-volume traffic sites including banking and e-commerce.
According to advice from Trend Micro, here are some ways to strengthen security against credential stuffing attacks:
- Practice good password hygiene. Avoid reusing the same email and password combination for multiple online accounts, and change your access credentials frequently.
- Enable two-factor authentication (2FA) whenever possible. Layered protection is always better than single access authentication.
- Observe your network traffic and system. A significant increase in network inquiries, access, or slowdowns may indicate an attack. Run security software to find and remove malware infection.
Brand And Executive Impersonation
With bad actors shifting their attacks from critical system and network infrastructure to the workers with access to sensitive company data and financial controls, perimeter security is quickly being outmoded by personalized phishing and whaling attacks on employees. Even the use of machine learning is getting into the act with voice impersonations of key executives requesting release of funds.
Since there are so few indicators alerting the security team to a phishing attack, security awareness training is one of the most successful methods to get the word out to the workforce. Reviewing and amending access controls (and additional training) to groups that have access to company information is also a good way to focus on remediating these attacks.
For an external-facing user base, it's best for customers to be exceptionally vigilant regarding any communications from people claiming to be from a brand, its subsidiaries or an executive. There's no way to know for sure, but the hackers could use the customer data obtained in one breach to orchestrate other phishing attempts.
Third-Party Security Posture & Insider Threats
An organization’s security team has a clear charter to protect its systems, data and workforce. But how well does InfoSec extend the security posture to its service providers and partners?
Data breaches due to mismanagement of third-party information have occurred for years but only recently are organizations looking at ways to address third-party risk management. The problem extends not only to hosted data services, but access to information and systems by employees of the partner company.
The situation exposes a potential vulnerability for companies that rely on contractors for technical work, giving outsiders broad access to sensitive internal documents with little oversight in the process. It also raises questions about how technicians hired to support the computer system of one corporation were able to gather information from employee emails.
In the Walmart email breach of 2019, an insider threat at a third-party supplier tested this exact scenario. “Companies with an extensive communications network like ours require the support of different partners and a high level of trust,” Walmart spokesman, Randy Hargrove, told the New York Times. “We relied on this vendor but their personnel abused their access and we want those responsible to be held accountable.”
Ensuring Your Database Is Secured
Basic security measures must be taken to protect company and employee data. Security researchers Rotem and Locar recommend the following three steps regardless of your organization’s size or security program maturity:
- Secure your servers
- Implement proper access controls to restrict who can interact with data
- Remove the open internet access for systems that do not require authentication
Avoiding Password Spraying Attacks
Here are 6 key learnings every enterprise should apply to their organizations to avoid being part of a password spraying cyber-attack:
- Use strong passwords: Create a password that is not less than 10 characters and preferably 16 characters; avoid using a common phrase, your name, nickname or address. Always use a unique password, never repeat and never store passwords in your browser.
- The NCSC advises firms to configure protective monitoring over externally-reachable authentication endpoints to look for password spraying attacks and enforce multi-factor authentication on externally-reachable authentication endpoints.
- Encourage checks of common passwords through Troy Hunt’s HaveIBeenPwned password checker, or other free or commercial tools.
- Consider using two or multi-factor authentication.
- Perform a routine systems check to make sure there aren't any easy access points, back doors or areas where privileges could be escalated.
- Check to make sure hackers haven’t added any additional user accounts.
Incident Response And Remediation
As part of data incident disclosure process, a company will initiate an investigation into the breach. The company will often bring in cyber security experts from outside firms to consult with the organization. Being able to demonstrate that the cause of the incident has been remediated is also part of the disclosure process.
Data privacy concerns are amplified in situations where PII is at risk of exposure. Industries have not shown the ability to self-regulate, which has led to legislation. The member states of the European Union (EU) enacted privacy laws in May 2018. A similar opt-out law started being enforced in 2020 for California’s CCPA legislation. Several additional states and multiple U.S. federal bills have been drafted to protect PII and penalize offenders.
A cyber security incident cannot be predicted given the broad variety of threat vectors, but organizations can prepare for the unknown. Where could an attack originate and what data is at risk? One thing that organizations successfully navigating a data breach have done was recognize that PII should be stored separately from the customer-facing portal. Creating this type of logical and physical separation assists in mitigating the amount and type of data exposed when an attack occurs.
See Related: Cyber Security Hub Incident Of The Week Archive