Data Security Importance and Methods to Prevent Privacy Breaches in Corporate Businesses and Organizations.
Data is “the new oil” and organizations or businesses need to take the steps necessary to adequately protect it. What counts as adequate protection? That depends on the type of data being stored, whose data it is, and any relevant jurisdictions. In this post you will know about Preventing Credential Theft from Becoming a Breach.
Governments and international bodies have certainly been making an effort recently to improve enterprise data security. With new regulations like the European Union’s General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA), protection of personal data is in the spotlight, and the potential costs of a breach have risen significantly. A breach of GDPR-protected data can cost an organization 4% of global revenue, and an administrative error (like failing to keep proper records) can cost 2% of turnover even if no breach occurred.
When thinking about data breaches, most people picture something out of a spy thriller with hackers finding loopholes in an organization’s network defenses and building a clever exploit to gain access. The reality is often a bit less sexy.
A major risk to enterprise security is their passwords. Hackers steal them in a variety of different ways, including phishing and hacking other organizations. Do you really think that your employees never use the same password for work also for personal purposes? Think again. A recent survey by LogMeIn found that 62% of people reuse passwords between personal and work accounts.
In other words, the most recent password leak could be the cause of your next data breach.
The Costs of Data Breaches
Data breaches are pretty common these days. It seems like a new breach is reported every week at the least, with many weeks featuring multiple large-scale breaches. Everyone thinks that “it won’t happen to me”, but when it does, it definitely costs them.
According to a study conducted by the Ponemon Institute, the average data breach costs an organization between $2.2 million and $6.9 million for breaches that aren’t “headline-worthy” (<50,000 records) and $39.49 million for those that are (over a million records). The average cost of the breach is $148 per record. Think of the number of customers that you have. Multiply that by $148. Can your organization survive that? It’s important to consider that this is only the measurable financial cost of the breach. Other potential costs are reputation, loss of customers, civil or criminal charges, and lost productivity.
Stolen Passwords and Credential Stuffing
As mentioned above, one of the biggest threats that an organization has to deal with is poor password management. People commonly use truly awful passwords (12345, qwerty, etc.) for multiple applications. This practice is what makes “credential stuffing” attacks so effective. Instead of devising some brilliant way of hacking past your firewall, a hacker will simply put together a list of potential usernames and passwords and start trying them. Lists of common passwords are available for free or for sale on both the open Internet and the Dark Web.
And usernames? Your organization probably has a standard format for generating them (first name last name or first initial followed by the last name are common favorites), which would be easily learned from any email address from your company. Even without knowledge of internal usernames, common defaults like admin and root are a good option to try. The Mirai botnet demonstrated that people don’t change the default credentials on their smart devices and network appliances. Hackers use credential stuffing attacks because they work.
Protecting Against Stolen Credentials
A hacking attempt that uses stolen credentials has two stages: finding legitimate credentials and using them in an attack. For the first stage, there honestly isn’t much that you can do to prevent it. Even if your organization has a good password policy that disallows any easily guessable passwords, it can’t detect password reuse. If your employee reuses the same password on some other site, you’ll never know until it’s breached.
When protecting against attacks using stolen credentials, detection is where the money’s at. You don’t need to be impervious to an attack as long as you can figure out the holes in your defenses before a hacker can. One simple way to determine your vulnerability to credential stuffing attacks is to do what the hacker does: collect a big list of weak passwords and try them against your users’ accounts. If you find a match, force a password reset, check their history for signs of anything suspicious (in case a hacker beat you to it), and sign them up for remedial training.
Another advantage that you have over an attacker is that authorized use is “normal” and unauthorized use typically isn’t. If a user’s account has multiple failed sign-in attempts? Probably worth looking into. If you’re based in Boston and a user is trying to sign in from a European IP address? Might want to block that. Many security appliances can use machine learning to detect and block these types of attacks. And limits on failed password attempts before an account is locked are always a good idea.
Securing Your Sensitive Data
With the rise in new privacy regulations, the cost of a data breach can be significant. While brute-force password guessing attacks may not be super-complex, they’re still effective and a significant threat to your organization’s cybersecurity. Taking proactive steps to detect and prevent attacks from succeeding can mean the difference between lecturing a user on poor password hygiene and a major incident response operation.
Governments and international bodies have certainly been making an effort recently to improve enterprise data security. With new regulations like the European Union’s General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA), protection of personal data is in the spotlight, and the potential costs of a breach have risen significantly. A breach of GDPR-protected data can cost an organization 4% of global revenue, and an administrative error (like failing to keep proper records) can cost 2% of turnover even if no breach occurred.
When thinking about data breaches, most people picture something out of a spy thriller with hackers finding loopholes in an organization’s network defenses and building a clever exploit to gain access. The reality is often a bit less sexy.
A major risk to enterprise security is their passwords. Hackers steal them in a variety of different ways, including phishing and hacking other organizations. Do you really think that your employees never use the same password for work also for personal purposes? Think again. A recent survey by LogMeIn found that 62% of people reuse passwords between personal and work accounts.
In other words, the most recent password leak could be the cause of your next data breach.
The Costs of Data Breaches
Data breaches are pretty common these days. It seems like a new breach is reported every week at the least, with many weeks featuring multiple large-scale breaches. Everyone thinks that “it won’t happen to me”, but when it does, it definitely costs them.
According to a study conducted by the Ponemon Institute, the average data breach costs an organization between $2.2 million and $6.9 million for breaches that aren’t “headline-worthy” (<50,000 records) and $39.49 million for those that are (over a million records). The average cost of the breach is $148 per record. Think of the number of customers that you have. Multiply that by $148. Can your organization survive that? It’s important to consider that this is only the measurable financial cost of the breach. Other potential costs are reputation, loss of customers, civil or criminal charges, and lost productivity.
Stolen Passwords and Credential Stuffing
As mentioned above, one of the biggest threats that an organization has to deal with is poor password management. People commonly use truly awful passwords (12345, qwerty, etc.) for multiple applications. This practice is what makes “credential stuffing” attacks so effective. Instead of devising some brilliant way of hacking past your firewall, a hacker will simply put together a list of potential usernames and passwords and start trying them. Lists of common passwords are available for free or for sale on both the open Internet and the Dark Web.
And usernames? Your organization probably has a standard format for generating them (first name last name or first initial followed by the last name are common favorites), which would be easily learned from any email address from your company. Even without knowledge of internal usernames, common defaults like admin and root are a good option to try. The Mirai botnet demonstrated that people don’t change the default credentials on their smart devices and network appliances. Hackers use credential stuffing attacks because they work.
Protecting Against Stolen Credentials
A hacking attempt that uses stolen credentials has two stages: finding legitimate credentials and using them in an attack. For the first stage, there honestly isn’t much that you can do to prevent it. Even if your organization has a good password policy that disallows any easily guessable passwords, it can’t detect password reuse. If your employee reuses the same password on some other site, you’ll never know until it’s breached.
When protecting against attacks using stolen credentials, detection is where the money’s at. You don’t need to be impervious to an attack as long as you can figure out the holes in your defenses before a hacker can. One simple way to determine your vulnerability to credential stuffing attacks is to do what the hacker does: collect a big list of weak passwords and try them against your users’ accounts. If you find a match, force a password reset, check their history for signs of anything suspicious (in case a hacker beat you to it), and sign them up for remedial training.
Another advantage that you have over an attacker is that authorized use is “normal” and unauthorized use typically isn’t. If a user’s account has multiple failed sign-in attempts? Probably worth looking into. If you’re based in Boston and a user is trying to sign in from a European IP address? Might want to block that. Many security appliances can use machine learning to detect and block these types of attacks. And limits on failed password attempts before an account is locked are always a good idea.
Securing Your Sensitive Data
With the rise in new privacy regulations, the cost of a data breach can be significant. While brute-force password guessing attacks may not be super-complex, they’re still effective and a significant threat to your organization’s cybersecurity. Taking proactive steps to detect and prevent attacks from succeeding can mean the difference between lecturing a user on poor password hygiene and a major incident response operation.
COMMENTS