#dataprotection

What is information security vulnerability and how to fix it?

The database of information security vulnerabilities has grown significantly in recent years. This in turn creates a huge potential for attackers and hackers. Any vulnerability can become a way to implement a successful cyberattack. However, many companies do not pay enough attention to vulnerabilities and do not have a clear strategy for their effective elimination. Often companies use all their resources in the wrong places, that not only does not solve the problem, but also slows down the work of all systems.

A vulnerability is a weak point in a company’s information ecosystem that can be used to attack its cyberspace, IT infrastructure, software applications, and digital assets. Also, vulnerabilities are a «great» tool for a cybercriminal to gain unauthorized access to the system, compromise and steal data. Successful exploitation of vulnerabilities allows a cybercriminal to install malware, run malicious code, and as a result gain access to user accounts and steal data. There are many exploits for vulnerabilities: SQL injection, cross-site scripting (XSS), web shell attacks (code that can control a damaged device) and open-source exploits (a type of malware).

There are several categories of vulnerabilities:

hardware
software vulnerabilities
network
staff vulnerabilities
site vulnerabilities

Vulnerability remediation is the process of finding, eliminating and neutralizing security vulnerabilities in a company’s IT environment (computers, digital assets, networks, web applications, mobile devices, etc.). The eliminating vulnerabilities process consists of several stages.

Remediation is a key step in the vulnerability management process and is critical to protecting networks, preventing data loss, and ensuring business continuity. At this stage, the process of neutralization and/or elimination of active vulnerabilities or security threats takes place. The remediation process helps reduce the chances of data loss, data leaks, DDoS attacks, malware, and phishing. The remediation process is a collaboration between development, risk management, and security teams to determine a cost-effective way to fix vulnerabilities.

Vulnerabilities are addressed using innovative data processing techniques, threat intelligence and automated prediction algorithms. Such techniques help identify vulnerabilities and prioritize each one.

The fix process includes:

finding and/or identifying vulnerabilities – finding errors in software code and configuration, such as incorrect authentication processes and security controls. Checks for new vulnerabilities should be regular. Finding vulnerabilities occurs through scanning and testing applications, systems and networks;
prioritization of vulnerabilities by risk level (from high to low) – identifying and prioritizing each vulnerability according to criteria: risks, scale and complexity of vulnerability elimination;
direct mitigation of vulnerabilities to a minimum or no risk to the system – elimination of weaknesses by correcting errors, updating, improving, removing inactive components;
regular systems, devices and networks monitoring – provide continuous real-time network monitoring and scanning for potential vulnerabilities to quickly respond to them.

You can improve the process of eliminating vulnerabilities by using:

a vulnerability management solution implementation
KPI implementation: overall progress (% of vulnerabilities fixed); efficiency (a measure of success in addressing high-risk vulnerabilities); speed (how quickly vulnerabilities are fixed); performance (time it takes to fix vulnerabilities / estimated net profit or loss);
vulnerability reporting tools usage.

How to protect data from the third-party breaches?

Data breach incidents always have a negative impact on consumer confidence. Now companies often use third parties services, giving a certain part of the tasks for outsourcing. This could be a SaaS vendor, a third-party vendor, or a contractor. Some vendors have robust security standards, risk management practices, and strong data protection. But other of them neglect it. These vendors are often outside the company’s control, making it impossible to obtain transparent information about information security controls.

Having a reliable information security system but using the services of a third-party provider with weak information protection, a company risks becoming a victim of cybercriminals and losing data. Confidential company data may be stolen from a third-party provider, as well as their systems may be used to gain unauthorized access to a company system. Each supplier directly or indirectly affects the company cybersecurity. Third party risk management is an important part of an organization’s risk management strategy.

Third party providers evaluation. Engaging third-party vendors who will have access to the corporate network and sensitive data has certain risks. It’s possible to evaluate potential partners using the security rating. The tool you to quickly assess and understand the external security status of the supplier, as well as what threats it may be exposed to;
Adding risk management clause to the contract. This will not save or prevent data leakage, but providers will be held accountable. It’s also possible to add a requirement for vendors to report or fix any security issues within a specified time period, request a security questionnaire to identify issues;
Inventory of suppliers. It should be studied and determined how much information is provided to each supplier. This will help measure the potential risks posed by the supplier;
Continuous suppliers monitoring for security threats. The supplier’s security level changes during the period of cooperation. Rare audits and security questionnaires show only the state of security at a given time. For a complete understanding, it is necessary to monitor suppliers security level constantly and quickly respond to changes;
Cooperation with suppliers. This will not help to completely exclude and prevent unauthorized access, cyber-attack and security breach. However, it is important to work with vendors to mitigate risk, respond quickly, and fix security issues;
Providing information about risks to management. This allows top-management to understand the risks and their consequences. According to the Ponemon Institute’s «Data Risk in the Third Party Ecosystem» report, 53% of respondents from high-performing organizations reported interacting with the board of directors and executive management. This means that management is aware of the potential risks, as well as the importance of protecting sensitive data and implementing effective information security practices;
Breaking cooperation with unreliable suppliers. In case of a third-party supplier non-compliance with the requirements and the organization’s standards, cyber-attacks should provide for the option of breaking cooperation. In this case, it is necessary to ensure business continuity. Like the introduction of a supplier into the system, its removal is also an important part of third-party risk management;
Measuring third-party providers risks (how quickly they implement multi-factor authentication, information about data exchange with 4 and 5 parties, tracking the process of exchanging confidential information, users who have access to it);
Access control. Leaks also occur due to incorrect provisioning of access. Quite often suppliers have more access than it is necessary for their job. Consider implementing a role-based access control system that operates on the principle of least privilege (POLP).

Cybersecurity importance for modern business

The main modern business task is to ensure reliable data protection. Cybersecurity protects data of all categories from theft and damage: confidential data, personally identifiable information (PII), personal health information (PHI), personal information, intellectual property, data, government and corporate information systems. The absence of a cybersecurity system increases the risk for a company to become a target for cybercriminals.

The global use of cloud services as a repository for sensitive data also increases the risks. Misconfiguration of cloud services and more sophisticated methods of cybercriminals lead to successful cyberattacks and data leaks. Off-the-shelf solutions such as anti-virus software and firewalls are not reliable data protection. Cybercriminals are using smarter tactics and methods that are more resistant to traditional cyber defenses.

Cyber threats can come from any level of an organization. It is important to ensure that staff at all levels are trained in cybersecurity, aware of common cyber threats (social engineering fraud, phishing, ransomware attacks, and other malware to steal intellectual property and/or identity), teach how to recognize them and familiarize them with the action plan when an incident occurs.

Cybersecurity is the state or process of protecting and recovering computer systems, networks, devices and programs from any cyberattack types. The threat to data is high as cybercriminals use new methods based on social engineering and artificial intelligence to bypass traditional data protection methods with ease. Keep data secure by implementing intelligent security solutions combined with strong password policies (for example, multi-factor authentication to prevent unauthorized access).

Modern society is highly dependent on technology, and this trend will only grow. Data that can contribute to major data theft is published on social media accounts, sensitive information (social security number, bank card and account information, etc.) is stored in cloud storage (Dropbox, Google Drive, etc.). Every day, whether a large corporation or an ordinary person uses technology and computer systems. If you compare this with security lack of cloud services, smartphones, the Internet of things, then there are many potential security vulnerabilities that didn’t exist even a few years ago.

The General Data Protection Regulation (GDPR), namely reputational damage and customer liability, has motivated organizations to rethink cybersecurity. According to the GDPR, organizations operating in Europe are required to:

Report a data breach;
Designate a data protection officer;
Require the user’s consent to the processing of information;
Anonymize data for privacy;

In the US, data breach laws are in place and include:

Data breach notification as soon as possible;
Government notice;
Fines payment.

In 2003, California became the first state to regulate data breach disclosures. Victims can sue up to $750 and companies can be fined up to $7,500 per victim.

This, in turn, has contributed to the development of frameworks for understanding security risks better, improving cybersecurity measures, and preventing cyberattacks.

Information theft is the most expensive and fastest growing segment of cybercrime. This is largely driven by the growing disclosure of identifying information on the Internet through cloud services. Also, industrial and government facilities are targeted in order to violate the integrity of data (destruction or modification of data) and to distrust the organization or government.

Social engineering remains the simplest form of cyberattack, and ransomware, phishing, and spyware the easiest method to infiltrate a system. It is important to consider that the attack can be carried out through third parties that use unreliable cybersecurity methods.

According to research, the average cost of cybercrime to an organization has increased by $1.4 million over the past year, and the average number of data breaches has increased by 11%.

Factors contributing to cybercrime growth:

Distributed Internet;
The ability of cybercriminals to attack targets outside their jurisdiction, which greatly complicates police work;
Increasing profitability and ease of commerce in the dark web;
The spread of mobile devices and the Internet of things (IoT).

Consequences of neglecting cybersecurity:

Economic costs (theft of intellectual property, corporate information, disruptions in trade, restoration and repair of damaged systems);
Reputation (loss of trust, loss of current and potential customers, anti-advertising in the media);
Regulatory costs (fines, regulatory sanctions).

Basic methods to protect sensitive data

One of the main digital world tasks is confidential information protection. This is a large and complex task, that can also be complicated by poor data management, poor network security, endpoint protection, and encryption methods. To prevent the growing number of cyber-attacks, it is necessary to use more powerful cyber security methods.

Both organizations and individuals need to know the basic methods of protecting sensitive data to avoid leakage and loss. The loss of personal or corporate data can be devastating and have serious consequences.

Confidential information is sensitive information that requires a higher level of data security to prevent unauthorized access by hackers or malware. Such data is usually protected and inaccessible to unauthorized persons. There are cybersecurity and data protection standards that are set in the USA by the Federal Trade Commission (FTC), in Europe – by the General Data Protection Regulation (GDPR), Australia – by the Australian Cyber Security Center (ACSC).

Confidential data may include:

Personal data (PII);
Financial, banking information, including credit card information;
Legal information;
Medical information (PHI);
Biometric data;
Data about clients and employees;
History of visiting the Internet;
Trade secret;
Data on business transactions;
Secret government information.

Basic methods for protecting confidential information:

Data classification and organization. Data classification refers to the process of organizing data into specific categories that make it easier to access, rank data by criticality, and reduce storage and backup costs. Data organization allows to determine data risk level (low, medium, high), determine public and private information, and apply appropriate security measures for each level of confidentiality. The classification policy allows to assess the use of sensitive data, ensure better privacy and data protection.
Data encryption. The method is to encode the data by cryptographers using complex algorithms and ciphers to protect the data from theft or disclosure. If the encrypted data is stolen, it is almost impossible to decrypt it without the decryption key. Data encryption provides confidentiality during information transfer and allows for authentication processes. Companies that work with particularly sensitive data should use an encryption method.
Personal Data Protection Impact Assessment (DPIA). These are operational tools to protect corporate information that carries a high risk of personal information disclosure. Under the DPIA, organizations must:

Determine the nature, scope, context and purpose of data processing;
Assess risks;
Define measures for each risk;
Ensure that security processes comply with regulatory requirements.

Data masking (obfuscation) is one of the ways to protect data by replacing the original data with fictitious ones. Data masking is also used internally to hide information from developers, testers, and others.
Multi-factor authentication. Using a password and authentication is one of the easiest security methods. The data of large corporations quite often end up on the dark web. Corporate users can use multi-factor authentication to protect sensitive information.
Backups. The foundation of all security solutions is data management and backup. Backup should be performed at least once a week.
Strong network security. This involves the use of many different security solutions to better protect sensitive data from theft and unauthorized access. Tools to improve security:

Software to protect against viruses and malware;
Data Leak Protection (DLP);
Intrusion detection system (IDS) and intrusion prevention system (IPS);
Firewalls;
Virtual private networks (VPN);
Network segmentation;
Secure data removal tools.

What is clickjacking?

The active data protection technologies development gives rise to the active development and improvement of cybercriminal methods. Criminals use sophisticated methods to go unnoticed and achieve their goals. For example, hackers can use clickjacking to force a user to activate a webcam or transfer money from their own bank account to an attacker’s account.

Clickjacking is a type of cyberattack in which an attacker places an invisible link over web content. Hackers hide the button in a transparent iframe, that allows them to remain invisible. Typically, users can’t determine that a clickjacking attack is occurring. Users, thinking that they are pressing a button that they see with their own eyes, actually fall into a trap prepared by an attacker.

The most common goals for clickjacking are:

Theft of login credentials;
Activation of the webcam or microphone;
Downloading malware;
Authorization of money transfers;
Making unwanted purchases;
Location determination;

This list is not limited to just these examples as the destructive possibilities are endless.

Examples of clickjacking

Money Transfer Fraud: an attacker tricks a user into clicking a link on a malicious page that authorizes the transfer of funds from the user’s bank account. Usually the site with the link contains an attractive offer (gift, discount, etc.). The victim loads the site, clicks a button to receive a «gift» and thereby authorizes the transfer of their funds. If the victim entered his bank account at that time, his/her money will be instantly transferred to the attacker’s account. The transfer of money takes place in the background while the victim is redirected to a page with additional information about the «gift».

Webcam and/or Microphone Activation: In this attack, Adobe Flash users’ settings are silently downloaded from a different link. By clicking on a malicious link, the user changes their settings. This allows attackers to gain access to the camera and microphone.

Likejacking is an attack using «likes». Users are tricked into liking a Facebook page. By clicking on the «Like» button, the user clicks on the link inserted by the attackers. For a «successful» attack the user must log into their account when clicking on the link. Social media accounts are vulnerable to clickjacking. So, in 2009 Twitter was the victim of a successful attack known as the «tweet bomb».

Malware download: An attacker initiates a malware download when a user clicks on a link. Such software can damage system software or create conditions for persistent threats.

Clickjacking protection tools

Content-Security-Policy (CSP)
X-Frame-Options
Framebusting

Data Breaches for the last year

One of the latest data leaks became known on April 04, 2022. Block has acknowledged that the Cash App mobile payment service was hacked due to an insider threat. In December 2021, a former employee of the company hacked the service and stole customer names, bank account numbers, asset values, exchange trading information. The exact number of customers who were affected by this incident was not reported. It is known that the company turned to 8 million of its customers and reported what had happened. Such attacks happen regularly and concern all modern companies. Below are some more examples of recent cases of hacking and information leakage.

In March 2022, Microsoft was hacked by the Lapsus$ hacker group. Confirming the hack screenshot in Azure DevOps was published in their Telegram channel. The hack compromised Bing, Cortana, and other projects. Lapsus$ was motivated by monetary interest, but not political. To achieve their goals, they turned to the company technical staff with a request to compromise their employers.
On January 17, 2022, hackers hacked the wallets of 483 Crypto.com users. Over $30 million was stolen from this hack. Part of the amount was stolen in Bitcoins, part in Ethereum and other cryptocurrencies. Attackers bypassed two-factor authentication and gained access to users’ wallets. The company announced a hack a few days later, as well as a refund of funds to the victims.
In December 2021, a group of hackers hacked the FlexBooker online booking platform. As a result of the hack, the data of 3 million users (driver’s licenses, passwords and other personal information) was stolen. After stolen data was put up for sale on various forums. The data was accessed using the FlexBooker Amazon Web Services configuration.
In November 2021, Panasonic was hacked and exposed data about trainees, job applicants and other information. The company did not report the scale of the damage but notified all the victims.
In October 2021, Twitch source code and other business data began to appear online. A 125 GB torrent was posted on an anonymous 4chan forum, allegedly containing the entire Twitch. The data cache contained data on payouts to creators for 3 years, the full volume of twitch.tv, proprietary code, details of an unreleased Stem competitor, and more. Twitch stated that a server configuration error was the cause, and the effect of the hack was minimal.
The attack on Neiman Marcus was carried out in May 2020. However, the attack and consequences were detected and assessed only in September 2021. The hack affected about 4.6 million customer accounts (payment card data, expiration date, other personal information). Different customer accounts were affected in different ways.
The T-Mobile data breach in August 2021 compromised the information of nearly 48 million people. Hackers stole files with loan applications, confidential information including names and surnames, social security numbers, dates of birth, driver’s licenses and identification numbers.
Misconfiguration of Microsoft Power Apps led to the disclosure of 30 million records in over 47 organizations. This information appeared in August 2021. Organizations affected included Ford Motor Co, American Airlines, New York Metropolitan Transportation Authority and other. The stolen information differed depending on the company it belonged to personal details of employees, Covid-19 test data, vaccination data, including personal information of related individuals, etc. Misconfiguration is not the fault of Microsoft directly, as certain system changes initiated by users may have made the data publicly available. However, the lack of warnings about possible consequences makes Microsoft partly to blame.

The biggest data breaches

One of the first hacks that affected the public occurred in 1986. On the night of April 27, millions of HBO subscribers were enjoying the movie «The Falcon and the Snowman» see on their TV screens a message from Captain Midnight . The message was about the ridiculous cost of a subscription in the amount of $ 12.95. Some of them were concerned about the hack, others took it as a funny joke. This hack caused no real damage, only a little pause in the broadcast.

Now news about various attacks and hacks appear quite often. The annual global damage from them is estimated at trillions of dollars.

The biggest data breaches:

Yahoo (2013)

As a result of this hack, 3 billion records were compromised, including real usernames, email addresses, date of birth, phone number, and security questions. At this time, the company was in the process of being bought by Verizon. Yahoo’s value has fallen by 350 million. According to Yahoo, the attack was state-sponsored.

First American Financial Corporation (2019)

As a result of the data breach, 885 million records were compromised (bank account numbers, bank statements, credit data, tax records, social security numbers, transaction data). This case is unique because an authentication error occurred (authentication is not available to view documents). This was caused by an IDOR (Insecure Direct Object References) bug that allowed unauthorized access to web pages and files. This error went unnoticed for several years.

Marriott International (2018)

500 million records are the result of a cyber attack. Contact information, passport data, travel data, bank card numbers and other users’ personal information were compromised. The attack was carried out by a Chinese intelligence group whose goal was to collect data from US citizens.

Facebook (2019)

The purpose of the cyberattack was the personal data of social network users: phone numbers, usernames, gender, location. The attack affected 540 million records. Several Facebook databases were not secured with passwords or encryption. This led to the fact that everyone could find data on the Internet.

Target (2013)

American company that operates a chain of retail stores suffered a cyberattack in 2013. 60 million records (names, phone numbers, email addresses, payment card numbers, credit card verification codes and other sensitive data) were compromised. Damage amounted to $18.5 million, as well as a $10 million class-action lawsuit settlement and $10,000 payments to customers. The organizer of the attack was not identified. Attackers gained access to Target’s networks using stolen credentials from a third-party provider (a company that maintains HVAC systems). After gaining access to the database, malware was downloaded to collect information.

MySpace (2013)

As a result of the attack, 360 million records with users’ personal information were affected. The attack was carried out by a Russian hacker in 2013, but it became known in 2016. The stolen credentials were leaked to LeakedSources and were also available for purchase on the Dark Web Markets the Real Deal for 6 bitcoins (approximately $3,000 in 2013).

LinkedIn (2012)

The purpose of this hack was users’ logins and passwords. After the data was published on the Russian hacker forum. The company had to pay $1.25 million to users affected by the hack. LinkedIn revealed the full scale of the attack only in 2016.

Data must be protected

Today data represents the greatest business value regardless of its activity field. Successful operation involves ensuring high-quality data interaction and usage (financial statements, medical records, business plan, etc.). At the same time the risk of data leakage increases making it critical to ensure proper data protection.

There are 2 types of data that companies own:

Critical business data – data sets needed for a full-fledged activity (financial plans, production reserve, intellectual property, trade secrets, etc.);
Company confidential – information about employees and their salaries, clients, contracts with partners, medical history, etc.

It’s inappropriate to waste resources and try to protect every folder and file without taking into account their contents. An adequate cybersecurity strategy should provide differentiated protection of information assets – photos from company party are not critical business information and don’t require strong protection.

Reasons to focus on data security:

Data breach involving data integrity damaging or theft. Leaks can be caused by hackers cyberattacks; theft or loss of devices with important information; data theft by employees or other internal users (contractors, partners, etc.); human error.
Compliance with regulations. Compliance requirements also contribute to data security (GDPR, CCPA) by regulating personal data collection, storage and usage. Non-compliance is subject to fines that can reach up to 20 million euros or 4% of the company’s annual turnover for the previous financial year.
Cloud security. The pandemic has triggered a massive transition of companies to the cloud to provide employees with the ability to work remotely. Earlier data security strategies focused on protecting systems where sensitive information was stored. With the move to the cloud, such information is stored beyond traditional boundaries. Organizations need to have data security strategies in place to prioritize data based on its privacy level.
Lack of cybersecurity specialists. This situation results in a limited ability to mitigate data breach risks, detect threats, and respond to attacks.

Key features of a data security strategy:

Identification – identifying and capturing cybersecurity risks of systems, people, assets, data and capabilities;
Protection – implementing appropriate security controls and other measures to protect critical assets;
Detection – ensuring rapid detection of actions and events that pose a threat to data security;
Response – procedures for rapid response to cybersecurity incidents;
Recovering – actions aimed at quickly restoring data and services.

Technologies that help to protect data

Data discovery and classification – scan data repositories and provide results to avoid storing sensitive data in insecure locations. Data classification is the process of labeling data with tags to protect data according to its value and regulatory requirements;
Data encryption makes it «unreadable» and useless for attackers;
Dynamic data masking (DDM) – the method includes real-time data masking;
User and Subject Behavioral Analysis (UEBA) – the main task of the technology is to identify suspicious activity that indicates a threat. The technology is useful for identifying insider threats and hijacking accounts;
Change control and auditing – accidental and malicious unauthorized changes to IT systems can lead to downtime and disruption. This technology allows to quickly detect incorrect configurations;
User Identity and Access Management (IAM) provides management of regular and privileged user accounts, as well as control user access to important information;
Backup and recovery – the ability to quickly restore data as a result of accidental or malicious data deletion, server damage, targeted attack, etc.

Cyber Security: What is this and why it is important?

Today we have almost unlimited possibilities for working with data, including their processing, storage and exchange between users. However, this raises the issue of cybersecurity.

Cybersecurity is an important part of any organization workflow. Its main goal is to protect all data categories (confidential data, corporate data, personal information, medical information, intellectual property, government and industry information systems etc.) from leakage and damage. The absence of a corporate cybersecurity project leads to an inability to withstand data leakage.

The modern world, each of us and society is highly dependent on technology, and this dependence will continue. Every modern company regardless of size depends on computer systems. The constantly growing number of users, devices, programs, the increasing data flow including secret or confidential data is of interest to cybercriminals. Global connectivity and cloud services usage to store sensitive data and personal information, misconfiguration, and sophisticated cybercriminal methods increase the risk of cyberattacks.

Maintaining cybersecurity in an ever-changing threat landscape is a top priority for all organizations. The use of ready-made solutions (antivirus software, firewall) cannot provide 100% protection, which confirms the relevance of creating a corporate cybersecurity system.

What is cyber security?

Cybersecurity is the process of protecting Internet-connected computer systems, networks, devices, and programs from any type of cyberattack, and recovering from any type of cyberattack. This practice is used by both individuals and legal entities to protect against unauthorized access to data centers and other computerized systems. Cyberattacks now pose a greater threat to data as cybercriminals bypass traditional data protections using new methods of infiltrating the system based on the use of social psychology and artificial intelligence.

A cybersecurity strategy can provide strong protection against attacks that are aimed at gaining access, changing, deleting, destroying or extorting confidential data of companies, organizations or individual users. Also, cybersecurity is able to prevent attacks aimed at shutting down or disrupting of operation systems and devices.

Governments around the world pay great attention to cybercrime. An example is the GDPR, which required organizations operating in the EU to report data breaches, appoint a data protection officer, require user consent to process information, and anonymize data for privacy. In the US, data breach laws are in place in all 50 states. Basic requirements: notify the victims as soon as possible, notify the government, pay a fine.

Elements of cybersecurity

The cybersecurity system can be divided into subsections, the internal coordination of which is critical to the entire cybersecurity system. Such subsections include:

application security;
data and information security;
network security;
disaster recovery and business continuity planning;
operational security;
cloud security;
critical infrastructure protection;
physical security;
end user training

Benefits of cybersecurity

business protection from cyber attacks and data leakage;
data and networks protection;
protection against actions of unregistered users;
reduction of time required for recovery after hacking;
end users and devices protection;
compliance with regulatory requirements;
ensuring business continuity;
improving the company’s reputation and increasing the level of trust on the part of developers, partners, customers, stakeholders and employees