In a previous post, Technology and Connectivity: You Are at Risk, it was noted that the technologically connected world we live in puts us at risk of being a victim of a data breach. This post explores the topic further, assessing the most likely way that a breach might occur.
When faced with what seems to be an inevitable attack, are we helpless to prevent a large-scale breach?
Given the fact that record-breaking breaches have defeated the cyber security of large corporations and sophisticated government systems, it may seem impossible to defend against a potential cyber-attack. For instance, the Target and Office of Personnel Management (OPM) breaches were the result of “sophisticated” attacks. The perpetrators in each case were experienced cyber criminals, or a foreign state-sponsored group (such as in the case of the OPM breach), and the attacks beat reasonably constructed cyber security systems. In the OPM case, the perpetrators were able to breach the Department of Homeland Security’s Einstein system, the government’s $3 billion monitoring system specifically designed to prevent and detect cyber-attacks.
When analyzing the actual breaches in both of these cases, it was not the system itself that was ineffective. Take the 2013 Target breach, for example. While it is alleged that the attack was performed by a professional cyber-criminal from within the Ukraine, and true that aspects of the breach may appear sophisticated to laypersons who are not software engineers (such as the code used to collect or “scrape” card data from Target’s server), the breach itself was extremely simple. The actual breach, breaking through Target’s firewall and gaining access to Target’s file server, was accomplished with a phishing scheme that allowed the attacker to obtain the legitimate credentials (name and password) of a 3rd party contractor who had access to Target’s contractor portal. Yes, a phishing scheme, a malicious link in an email that almost every individual is aware of, and that any company with even the slightest concern about IT security warns its employees about as a first line of defense. This was the downfall of Target’s IT security. The attack suggests that the Target’s security infrastructure, which was not noted to be extremely advanced or cost inhibitive, was most likely adequate enough to prevent direct intrusion, but lacked adequate monitoring of activity and failed to prevent human error. Thus, believing that such attacks are “sophisticated” and unstoppable is simply incorrect.
Lest you think Target is alone in its failure to prevent human error, consider other recent breaches, such as the 2014 OPM breach and the 2014 Anthem breach, in which 80 million customer records were compromised. In each of these cases, the attackers did not breach cyber security systems directly. Instead, the attackers gained legitimate access only after obtaining the credentials of a vendor or employee, most likely through phishing schemes. In fact, a 2014 report issued by Javelin Strategy & Research states roughly 61% of all data breaches are attributable to stolen credentials, suggesting that this is how the majority of breaches occur. Thus, even with adequate security systems is in place, such as OPM’s use of Einstein, IT systems face the larger risk of human error.
To learn more on what you can do to help mitigate the risk of a data breach, this topic will be covered further in an upcoming blog post.