Data Breaches Can Come from Anywhere: How Hackers Steal Your Data
Every organization has valuable data in its possession. Whether it’s the personal information of employees and customers or R&D information about its next product, this data needs to be properly protected. Depending on the type of data in question, this need for protection may arise from data privacy regulations (GDPR, PCI DSS, HIPAA, etc.) or it may need to remain secret in order to ensure that the organization maintains its ability to operate competitively within its industry.
Despite all of the research and spending in data security, the number of data breaches that occur every week demonstrate that protecting secrets is not a solved problem. Most organizations have the basic cyber defenses in place to secure their network; however, in many cases, hackers can still slip by and steal the protected data.
Most people, when they think of a data breach, think of a hacker breaking through these defenses to steal an organization’s data. However, this isn’t always the case. In some cases, hackers can bypass these defenses entirely, taking advantage of other vulnerabilities that expose sensitive data.
Leaky Supply Chains
One of the most common ways that organizations fail to protect their sensitive data is a failure to properly secure their supply chain. Every organization relies on vendors, software providers, etc. at some level to help with providing their products or services. A breach of these companies in the supply chain can translate to a breach for the organization.
The most famous example of a breach caused by a failure to properly secure supply chain dependencies is the Equifax breach of 2017. An “entirely preventable” breach of Equifax’s systems caused the personal financial data of over 143 million people to be leaked to hackers. The cause of the Equifax breach was a failure to properly secure third-party software that Equifax used in its own network. Apache Struts is an open-source web server used by many organizations, including Equifax. This software had a well-known vulnerability for which a patch was available months before the Equifax incident. Equifax’s failure to perform the due diligence to close vulnerabilities inherited from its dependencies enabled the most notorious data breach in recent history.
With improvements to network perimeter security, sometimes the easiest way for an attacker to gain access to a network is to start out from the inside. By exploiting the network from the inside out, hackers can evade many of the defenses used by most organizations.
Many different means exist for attacking an organization from the inside out. These can range from more technical attack vectors, like installing malware on a flash drive and tricking or bribing an employee into plugging it into an internal system (which is how Stuxnet jumped the “air gap” into Iranian centrifuges), to very low-tech ones, like getting a job as a janitor or impersonating a mail carrier and attempting to steal data from unsecured machines. Perimeter-based defenses can do a lot to secure an organization’s private data, but they’re much less effective if the attacker is already inside the building.
A third way that hackers can easily steal data without hacking through an organization’s defenses is to go after sensitive data that isn’t stored on the network at all. Cloud computing provides many different advantages to an organization, but, if not done properly, security isn’t one of them.
One of the most common ways that organizations botch cloud security is the use of unsecured cloud storage. Amazon S3 buckets are one of the most well-publicized of these (probably because of the visual image of a “leaky bucket”), but any cloud storage system can potentially be a cause of an organization’s next data breach.
The main issue with the cloud is that security settings aren’t granular. The two options are typically private (each person needs to be explicitly invited to view or edit the data) or public (the entire world can read the data if they find the right URL). Cloud security research has found that 7% of S3 buckets were open to anyone who found them (no authentication needed) and 35% of them contained unencrypted data. Apparently, many people don’t understand that public really means public in the cloud.
Hackers, on the other hand, understand this perfectly well and take advantage of a variety of different tools to scan for open S3 buckets. Every bucket that they find may be a gold mine of private data and requires none of the time and effort involved in finding a hole in an organization’s firewall.
Protecting Your Data
Cleverly designed malware and hackers breaking through an organization’s firewall one line of code at a time is definitely a threat to data security, but it’s certainly not the only one out there. Organizations’ sensitive data can be exposed in a variety of different ways, including poor supply chain security, insider threats, and leaky cloud storage. Many of these attack vectors bypass traditional perimeter security, making many cyber defenses ineffective.
Organizations cannot rely on network perimeter security defenses to protect sensitive data from hackers. In order to properly protect sensitive data, it is necessary to have a comprehensive understanding of and visibility into everywhere that data is stored and how it is accessed. By deploying a specialized data security solution, organizations can gain this level of visibility and identify any potential attempts to steal sensitive data, regardless of the attack vector used.