Data Security – Anatomy of a Data Breach
Exfiltration – A breach by any other name
When data is "released" a.k.a. taken from a database system without the knowledge or consent of its owner, this is known as an exfiltration of data. More commonly known as a data breach. The targeted data resides on an organizations network and is proprietary in nature. This sensitive data may be confidential and or invaluable to a company. Theft of this information by an external party may cause great harm to the company by compromising personal identifiable information (PII), customer data or trade secrets and the like. For the record, data breaches can be either malicious in nature or can accidentally occur.
Steps to a data breach
Phase 1 – Reconnaissance
The first phase involves the hackers learning all they can about their intended target and how best to attack the network. The hackers will begin by scanning all externally available resources the target company enterprise uses. While hackers are starting to move away from SQL injections and network-based methods, this doesn't mean they aren't used as part of a larger ecosystem of hacking tools or techniques.
Top Six database attack techniques:
- Brute force cracking of weak or default usernames/passwords
- Privilege escalation (a user having greater privileges than they should have)
- Exploiting unused database services and functionality
- Targeting unpatched database vulnerabilities
- SQL injection
- Stolen backup tapes (unencrypted preferred)
Social engineering begins in this phase as well. Anyone and everyone connected to the company will be researched. This includes employees, customers, vendors, partners etc. For this purpose, blanket phishing emails will be sent. Spear-phishing emails will be focused towards executives and other high-value targets identified.
Phase 2 – Infiltration
Humans are not perfect, and hackers know this. It is a game of numbers and given our imperfection, it will only be a matter of time before someone somewhere connected to the company will click the wrong link, leave a device unattended, attach an infected USB device etc.
This could set off a series of events, for example, the downloading of malware onto a computer that may compromise an admin account. This admin account may access enterprise resources which hackers will test their limits and or install exploitive software on a server(s) and begin major scanning of the organization's networks.
Phase 3 – Exploitation
The hackers have now made a new home for themselves at this stage and are looking for the best spot to stay and the ‘spiciest’ information to make use of. This phase will involve using brute force attacks on all admin accounts. Overtime they will crack the weakest passwords first, gaining more and more access as they move along. At a certain point, new admin accounts under the control of the hackers will be created with increased access levels as they gain a greater foothold on network controls.
Phase 4 – Exfiltration
It is in this stage that hackers will download all data they consider important. This could include financial documents, customer or employee data, sales data, product or business roadmaps, proprietary source codes etc. Special attention will also be made to identify any key encryption software needed to be downloaded in order to decode the stolen data that may be protected if breached.
Consequences of a breach
By the time an enterprise becomes aware of the breach and loss of information, the outcome is dire. In many cases it means a loss of business (the impact depends on the size of the business), lawsuits and even regulatory changes brought on by new laws due to the breach or from court decisions. The bottom line here is that it is not only the company, but also other industry organizations may be affected.
The landscape of data breach threats
New is great, new is not great
The adoption of new and new varieties of software platforms, devices and technologies and their interactions with each other, while convenient for consumers, poses a potential challenge for business as exploits may be uncovered in a scenario not yet identified by the software or device architect teams.
Consumerization, the trend for consumers to emerge as the forefront users of business tools creates a problem for businesses to keep them happy while protecting corporate information and data.
The human element
Whether innocent or willfully negligent, all it takes is one employee to defeat a secure business perimeter design.
- Disgruntled employees willing to do harm to the company
- Lost or stolen devices
- Malware-infected personal (or work) devices on the company network.
- Unintentional sharing by employees who unwittingly reveal sensitive information or leave personal details available in public spaces. (online sharing or quite literally post-it notes on a screen with usernames and passwords)
Lessons learned
It is not a question of if as much as it is a question of when an attack will take place. Doing your best as a company to minimize the impact of an attack will help to deflect the impact of a breach or a potential breach. Given that a breach can take up to 229 days to detect, a robust governance policy could help mitigate this number significantly.
Putting good processes in place will help. Simple things like a strong password policy and routine password resets would minimize exploits. Detecting suspicious behavior either by software or employee training assist in this area as well. Identifying phishing, spear-phishing emails as well as software detection of rogue accounts or rogue admin account permissions and requests can lead to capture of potential attacks.
Setting up "honey pots", accounts and information used to lure attackers works well. Your governance system in this area would have flags raised each time new accounts were triggered using any of the honey pot information used.
Summary
It is more important to use an integrated approach to data security. Identity governance, data access governance, network security, user behavior training and analysis rolled into a security platform would be great places to start.
Once these areas can be administered diligently and maintained regularly, an organization can mitigate risk of data breaches and safely secure the data they need to succeed.