Currency Of The Future and Its Vulnerability To Theft
Gartner’s prediction of an 8.7% increase in worldwide spending on information security products and services during FY 2019 became a reality when Capital One’s breach made history this year. Since Coca Cola introduced the concept of IoT back in the 1980’s, cyber-security has evolved from traditional firewall based to enterprise cyber-security. The advent of cloud and mobile technologies has significantly increased the attack surface.Therefore, situational awareness has become the key to survival for organizations today. IoT is predicted to connect around 50 billion devices by 2020, which makes it imperative for an organization to not only protect its data securing infrastructure but also fasten up the ever-expanding number of endpoints to it’s system. Data can be termed as the currency of the future and cyber criminals tend to demonstrate a well established understanding of the importance of commodity data. The cyber-security damage is predicted to reach up to $6 trillion by 2021. Therefore, industry giants struggle to employ complex IT infrastructures to avoid breach of data but cyber-crime still seems to be at a hike.
There are 4 types of cyber-criminal groups present around the globe; financially motivated organized crime groups, nation state actors (30% initiating in China), activist groups and insiders. There are around 53% of the companies worldwide that give access to over 17 million sensitive files to their employees according to a Data Risk Assessments report published by Varonis in 2019. This research was performed on a representative sample of 785 organizations from many industries and sectors. Additionally, Varonis also discovered a ten fold increase in these files as compared to the previous year. These files consisted of data subjected to regulations like PCI, HIPAA, GDPR and CCPA. The breach of such data can also cost companies heavy penalties. Global access groups such as Domain users, Everyone or Authentic Users provide access to such data to cyber-criminals. Data that is globally accessible has introduced organizations to the risk of malware and ransomware attacks. Also, there were around 14,643 folders that contained sensitive data exposed to every employee within these organizations, which, in turn, makes them vulnerable to cyber-crime. It is estimated to take an IT professional around 6-8 hours per folder to locate and then remove Global Access Groups as well as create and employ new groups with the right users.
According to Data Breach Investigations Report (2019) published by Verizon, around 94% of the malware was delivered by email and the most widely used file type to conceal malware was Microsoft Office and Microsoft apps. Capital One breach, for instance, affected 106 Million people this year. The hacker was able to gain access to valuable consumer personal and financial information such as 80,000 linked bank account numbers of secured credit card customers and 140,000 Social Security numbers of potential Capital One credit card clients. How was this possible? The servers of the third party cloud computing company, outsourcing its services to Capital One, were hacked via a misconfigured web based application firewall. Capital One is now expected to suffer from high recovery costs ranging from $100 Million to $150 Million associated with notifying affected customers and compensating them by the provision of free credit monitoring. Evite, a social planning website, reported an unauthorized
party that stole an inactive customer storage file consisting of customer information of a 100 Million customers. However, luckily, the customer’s financial data remained secure as the company did not store such information.
Evite’s data breach serves as an example of another category of data exposed to cyber-crime; stale data. Sensitive stale data consists of information regarding customers, employees projects, clients or any other business sensitive content subjected to regulations like PCI, HIPAA, SOX and GDPR. Such data introduces the company to unnecessary security risk as it is kept beyond its retention period and can be expensive to store and manage. Organizations continue to amass unnecessary data despite the May 2018 EU General Data Protection Regulation and California Consumer Privacy Act. It has been estimated that around 72% of the folders in a company consist of stale data. Such data remains widely accessible and unmonitored while the companies struggle to keep the attackers out.
In order to access data file stores, cyber-criminals need an active account that is stored in an
Active Directory. One of the challenges faced by companies in correctly identifying such users is that the Active Directory also consists of stale accounts; the accounts that are inactive yet enabled. These stale accounts, later, are targeted and utilized for penetration and lateral movement. Such accounts lay dormant and go unnoticed providing access to systems and data on a daily basis. Therefore, hunting and eliminating non-expiring passwords and stale accounts are the two security steps that are often overlooked by organizations.
Every organization has different needs, risk tolerances, threats, capabilities and vulnerabilities when it comes to cyber-security prevention. Therefore, governments, industry organizations and regulators have introduced security recommended best practices and general frameworks to help such organizations reduce the likelihood of being victimized by cyber security attacks. NIST released a document with the goal of providing a flexible, repeatable, cost effective and performance based framework consisting of information security controls that can be adopted by organizations that own critical information. According to NIST, an ideal cyber security framework shall always complement an organization’s current cyber security program, rather than replacing it, based on the five concurrent functions- Identify, Protect, Detect, Respond and Recover. Also it is highly recommended to maintain an updated list of all hardware, software, security and data certificates so that a company is well aware of the information that is being shared on it’s networks, servers and other IT systems. This would aid in terms of keeping vital information within a hands reach, in case, a cyber security alarm goes off. Such a plan would also help in terms of implementation of incident response plans, business continuity plans and IT disaster recovery plans.
Another best yet simple practice that can be adopted to prevent cyber attacks is ensuring the use of a secure protocol for an organization’s website rather than an insecure one. A TLS handshake can be performed by utilizing SSL certificates in order to ensure secure and encrypted communication. Also, it should be an organization’s utmost priority to train its employees to identify and react to cyber threats. Employees pose a significant security risk to businesses as employee negligence can result in data breaches. A basic understanding of cyber security best practices can be delivered to employees in terms of identifying and responding to phishing or scam emails, creation of secure passwords and avoiding repetitive use across various platforms, familiarizing them with the organization’s cyber security policy and compliance measures, identification of social networking threats and safety measures regarding sending, collecting, managing and storing client and company’s data.
Any policy implemented to prevent cyber crime is only effective if an organization not only enforces it but also follows up on it. There is no doubt that the situation that companies face with cyber crime today calls for dire measures but by assessing an organization’s cyber-security risk, executing company wide changes and making a tireless effort to game up an organization’s overall security attitude, cyber-crime can be averted.