[BreachExchange] Understanding the Ripple Effect: Large Enterprise Data Breaches Threaten Everyone

Destry Winant destry at riskbasedsecurity.com
Mon Nov 11 09:53:47 EST 2019


https://threatpost.com/ripple-effect-large-enterprise-data-breaches/150041/

Fallout from giants at the top is one of the largest drivers of
cyber-impacts on everyday people and companies.

Big businesses are constantly under attack, and that affects everyone
from customers and business partners to parties with national security
interests.

When successful, the initial compromise is only a means to an end —
the real goal is to mount follow-on attacks like spearphishing,
extortion attempts and account takeover (ATO). And much to the chagrin
of security experts, those attacks on household-name companies are
growing. Last year saw more than 6,500 data breaches, exposing a
staggering 5 billion compromised records, according to Risk Based
Security.

“Breaches against large enterprises are becoming more frequent. There
are several reasons for this – notably, breaches are no longer
standalone incidents, they are part of larger organized cybercrime
networks,” said Arun Kothanath, chief security strategist at Clango,
in an interview.

The second reason, Kothanath said, was that the price of data is
skyrocketing: Beyond data tied to financial institutions being an
attractive target, so is data tied to healthcare, education,
infrastructure, elections and national security.

Even though we live in a “breach-of-the-week” era, where data-thieving
and inadvertent information exposures have become an expected part of
the landscape, large enterprises can’t afford to see data stewardship
as anything other than a critical risk, experts warn.

Scale and Complexity

Alex Guirakhoo, strategy and research analyst at Digital Shadows, told
Threatpost that contrary to conventional wisdom, large enterprises can
represent some of the lowest-hanging fruit for criminals to snatch off
the data tree, simply by virtue of their scale.

“Fortune 500 companies have a much larger attack surface,” he said.
“It’s more difficult to promote an effective security culture across a
base of tens of thousands of employees than for a company with only a
handful. This opens up greater potential for issues stemming from
human error, like vulnerabilities going unpatched, or a server
containing sensitive customer information being inadvertently
accessible to the public without authentication.”

Add in the fact that people tend to reuse passwords for different
services and often mix personal and corporate use of email and mobile
devices, the attack surface becomes even wider. Guirakhoo said someone
using company email on an insecure personal device represents an easy
path to the corporate jewels.

Third Party ‘Stranger Danger’

Larger companies also have more partners and suppliers, opening up the
potential for third-party compromise and supply-chain risk. This has
been seen in several large breaches, including, famously, the Target
breach (a hack of its HVAC provider started the attack) and last
year’s attack on software service provider [24]7.ai, a company that
provides online chat services. Hackers targeting [24]7.ai were able to
use the platform to ultimately compromise Delta, Sears and other
[24]7.ai customers.


More information about the BreachExchange mailing list