Data breaches are a constant threat for many organizations. They can be very damaging to companies, as not only is there the material cost of the breach, which now averages at almost 9.5 million dollars in the USA, but the reputation cost from getting hacked. To prevent data breaches, it is important to first understand the steps behind a data breach. Understanding this process and knowing what happens to allow data breaches to occur is a great way to build actionable defenses.
How Do Data Breaches Happen?
The first step of a data breach is often the most important one to defend against. This will usually be the way that the hackers gain initial access to the sensitive information or the network in which it lies. Unfortunately, there are many different ways that this can happen. Some of the most common methods will be through social engineering or the use of a network component with known vulnerabilities. It may also be possible that a hacker identified valid credentials to a login panel or found a flaw in the design of a web application.
Once the hacker makes initial access, they will then begin moving through the network seeking sensitive data. Primary targets will be database servers or files on workstations that may have valuable information. This movement through the network largely depends on what the design of the internal network is like. Most commonly, this will be an on-premise Active Directory environment or a cloud environment of some sort. When these are misconfigured, it can be easy for hackers to locate sensitive data.
When a hacker can accomplish their goal and find the compromising information, the next step is to exfiltrate the data. This can be easy to miss, even though large amounts of information are leaving the network. Organizations are often far more likely to carefully track inbound traffic than outbound traffic. Hackers will exfiltrate this data to privately controlled servers where they can then use it for malicious purposes.
An alternative scenario is from a physical approach. While less common, it can be very easy for a skilled adversary to break into seemingly secure facilities and steal important information. Another example could be a disgruntled employee stealing information from the company. This can happen in both the digital and physical scenarios. As long as they have, or can get enough access to take the information, they can potentially steal it.
Most commonly, this is all done to make a profit. Data breaches can sell for a lot of money on the dark web, and hackers may see it as an easy way to make a quick profit. Information will often be clumped into different categories, such as credit cards, bank logins, emails and names, and other various combinations of PII. These can then be bought and sold in varying amounts where attackers can leverage the information for access to other services or mount social engineering campaigns.
How To Defend Against Data Breaches?
With the wide range of ways that data breaches can occur, it can be difficult to properly defend against them. No one solution can effectively block out hackers from a network. There will almost always be a wide range of defenses that cover different entry points into a system and protect the internal workings of the system. Hackers can slip through small cracks to navigate through seemingly secure networks, so proper security measures are vital.
Defending against perimeter attacks is one of the most important steps in preventing data breaches. Perimeter attacks are anything on the outside of the network. They can be considered the first ways in. Keeping all perimeter appliances fully up to date can go to great lengths in preventing attacks. Hackers are extremely fast, so defenders need to make sure that they are staying fully up to date on the latest trends and monitoring their network for potential weak points.
It is also important to properly train employees on defenses against attacks such as social engineering and password reuse. They should know who to go to in the event of a problem and what to do if something seems off. Most importantly, they should recognize social engineering attempts early on and know when not to give out any information.
While defending the outside is important, it can be just as important to defend the internal network. No defenses are perfect, so it should be assumed that a hacker will find a way in one way or another. Once they are in, if proper protections are not in place, they will be able to wreak havoc on a network and take any information they want. Internal security policies and access controls can stop hackers in their tracks, even if they find a way in.
