Data breaches are a nasty and unfortunately common part of the IT world. In this blog, Connetic Founder and CEO Matthew Strebe talks about why data breaches happen, and what organizations can do to prevent them.
Data breaches are a vicious cycle: past data breaches are contributing directly to the execution of new data breaches. How is this happening? It’s simple. The direct loss of credentials (usernames and passwords) leads to the exploitation of sites that pose as credential databases.
Poorly configured services that people don’t think much about, like forums and news sites, have been commonly breached by attackers for over a decade. This results in hackers downloading entire databases of user accounts, email addresses, and passwords. You can check out this data breach guide website and enter your own email address to see where it’s been stolen, along with your existing passwords.
These stolen email addresses and passwords are then blended into a massive shared database of known passwords that hackers (and security researchers like me) distill down to attack other websites where they might be used.
Because users commonly share the same email address and the same password (or simply modifications of it) across multiple websites, hackers are then able to test those credentials against other more secure services. In a small percentage of cases, hackers are able to gain access to the account.
When those credentials provide or can be elevated to administrative access, the results are catastrophic—another data breach!
User accounts are like roof tiles. It doesn’t matter if 99% of your roof tiles are fine–it only takes the loss one to create a leak. As an example, let’s say that a group of attackers seizes a database of 100 million online accounts. Even if only one in ten thousand has been re-used on another service, skilled hackers will find it. At that rate, another 10,000 data breaches are enabled. Each data breach can yield millions of more accounts.
You should be able to see the exponential success rate that hackers are having with data breaches in combination with BitCoin and other cryptocurrency. As an economic enabler in spear-phishing and ransomware attacks, this is what is responsible for the massive rise in cybersecurity data breach cases.
Years ago when I examined forensic evidence in data breach cases, it was almost always possible to determine exactly how the attackers got in: via a web server vulnerability, by spear-phishing an internal user and getting them to download a Trojan Horse, or by convincing a user to log into a fake web service with their legitimate credentials.
Smart businesses now have to assume that passwords and credentials are out in the wild and that passwords are no longer effective against real criminals. Just like padlocks, their purpose now is to keep honest people honest, not to prevent serious criminals from gaining access.
At Connetic, we’re working to implement three factors of authentication across our client base: 1) usernames and passwords 2) authentication via mobile device app on a per-login basis and 3) device-based authentication where only approved computers can connect to the service at all. Legitimate users can no longer login from any device; they can only log in from machines under IT management.
Device-based authentication requires a unique certificate or token issued by the organization to be present on every device that connects to the cloud service or VPN. We’re using VPN as an authentication wrapper around any services that do not directly support device authentication.
Even these secure factors cannot prevent all forms of attack, especially social engineering. End-user training is the only answer to that increasing problem, but the cost of those attacks remains high.
Expect ever more stringent authentication, less automatic trust between services, and more end-user hassle and inconvenience as exponentially increasing cyber-crime affects more businesses and more consumers. It’s a trend that is only accelerating.
Connetic’s IT consulting services team has the unique training, knowledge, and expertise necessary to ameliorate risks by implementing comprehensive security audit practices, security framework compliance, and the comprehensive implementation of cybersecurity solutions. Contact Connetic’s IT services team to set up a security audit today or to learn more about how you can benefit from Connetic’s extensive experience and exceptionally managed IT services.