[BreachExchange] Data Breach Conundrum – Who’s on First?

Audrey McNeil audrey at riskbasedsecurity.com
Tue Dec 12 19:55:29 EST 2017


http://www.bmc.com/blogs/data-breach-conundrum-whos-on-first/

The first recorded data breach of our century occurred in 1984 at TRW, a
credit reporting agency. One stolen password posted to an electronic
bulletin board could have permitted access to the credit histories of 90
million people. Computer experts warned that prevention of such incidents
demanded greater security. Thirty-three years later—the data breach
conundrum pauses to reflect upon who’s on first.

The data breach conundrum

If we get a toothache, we call a dentist. If our automobile gas gauge is
nearing empty, we fill our gas tank. If we run out of staple food, we visit
the grocery store to buy more staples. If we crave cap of ribeye
(spinalis)—we call the butcher to place a special order. For all the above
situations, we have a logical sequence of steps we follow to achieve
specific results.

When we become the victim of a data breach, there is little or no respite.
Though we attempt to make sense of whatever breach, leak or hack nabbed
us—there is often no way to follow a logical sequence of steps, because
nine times out of ten, the specific result ultimately smacks of “game
over.” The bad guys got us, and we don’t even know ‘who’s on first’.

Equifax

As one example—consider Equifax’s recent spine-chilling data breach that
spilled our everything . . . as consumers, we were clueless before the
spill (and still are) as to who they sold our data to. But, as
Americans—we’ve always been an Equifax product—only this time, we are an
Equifax hacked product.

We wait. We sit—mostly silent. Our options trivialized by the calculated
movement of the pendulum swaying nonchalantly back and forth—reminding each
of us that the concern for our personal data could become (at any moment)
inconsequential and inappreciable when placed in the hands of remiss and
stoic gatekeepers.

Exposed

According to a new report from Risk Based Security, during the first three
quarters of 2017, 3,833 breaches were reported, exposing over 7 billion
records. Compared to the same period in 2016, the number of reported
breaches rose up by 18.2% and the number of exposed records rocketed by
305%. The report also reveals that 78.5% of all records exposed came from
the five largest data breaches of 2017:

1. Equifax— (Hacking) 145,500,000 names, dates of birth, Social Security
numbers and other confidential information compromised by exploiting
unpatched vulnerability in Apache Struts (CVE-2017-5638).
2. DU Caller Group— (Web) 2,000,000,000 user phone numbers, names and
addresses inappropriately made accessible in an uncensored public directory.
3. Deep Root Analytics— (Web) Approximately 198,000,000 voter names,
addresses, dates of birth, phone numbers, political party affiliations, and
other demographic information exposed in an unsecured Amazon S3 bucket.
4. NetEase— (Hacking) 1,221,893,767 email addresses and passwords stolen by
hackers and sold on the Dark Web by DoubleFlag.
5. River City Media— (Web) 1,374,159,612 names, addresses, IP addresses,
and email addresses, as well as an undisclosed number of financial
documents, chat logs, and backups exposed by faulty rsync backup.

Business responsibilities

Businesses need to properly manage sensitive data and place more focus on
breach prevention, detection and response. Some items that have been
overlooked in the lessons to be learned category include:

- Evaluating security protocols, updating and patching, and always backing
up data frequently
- Encrypting all data
- Securing the network with a corporate VPN
- Handling customer data protection as a corporate social responsibility
(CSR)
- Hiring employees that take breach prevention and management seriously
- Implementing advanced security controls
- Limiting employee access
- Developing an exit strategy that leaves no backdoors open
- Monitoring and securing BYOD programs
- Holding outside consultants and vendors to the same security standards as
your organization
- Developing policies and procedures on data breach prevention and mock
testing procedures
- Providing ongoing data breach training

Providing ongoing training for employees, upper management, and the board
is crucial. Lastline’s CMO, Bert Rankin says “It’s often human insight that
makes the difference in rapid breach detection, and that requires a
vigilant training program. Security teams obviously need to stay up to
date, but it’s also important to educate other administrators and users so
they can identify and report the early warning signs of an attack campaign.”

What about our responsibilities?

Most of the time it is all about convenience. We love it. We live it. It’s
easy to point the finger when we’ve over-used the same password on multiple
sites across the Internet, or been phished via an email that we thought our
CEO sent to us.

Though there are plenty of instances where companies have been negligent or
lax with customer data—on the other side of the coin—there are plenty of
users that have hindered security efforts by visiting fraudulent websites,
clicking on phishing links, reusing the same passwords on multiple sites,
using free (unsecured) public WIFI (that can easily be compromised),
leaving Bluetooth on when not in use, and not enabling two-factor
authentication on sites that provide it.

Conclusion

I’ve been the victim of eighteen reported data breaches since 2007: Adobe,
Albertson’s, Bit.ly, Citigroup, Disqus, Dropbox, Equifax, Exploit.In,
Forbes, Hannaford’s, Home Depot, LinkedIn, MySpace, Onliner Spambot, River
City Media, Staple’s, Target, and TJ Maxx.

I feel as though our personal data is consistently flailing inside some
giant yawning sinkhole—always waiting for another data breach plunge into
one more chaotic abyss.

Sometimes I wonder if data collection technology forged ahead too
rapidly—or perhaps the technology behind it coerced security into
coexisting as a tag along.

Yes, the genie is out of the bottle—as individuals, it appears we’ve lost
all control of our personal data. We’ve never really known who’s on first
and we can’t even visualize getting to second base because it always looks
like we will strike another out.

Though the data breach landscape looks discouraging and dismal this year,
we still have time (not much), to get our acts together (on an individual
and organizational basis) and inoculate security hygiene into our mindsets,
motivations, and daily workflow.

My mantra: Ask not what data breach security can do for you—but what
“together” we can do for data breach security. What is your mantra?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171212/02ef473b/attachment.html>


More information about the BreachExchange mailing list