Despite our best efforts, cybersecurity continues to lag behind the creativity of cyber criminals. As we become more interconnected, the potential for a devastating data breach only grows.
In IBM's 2022 data breach report, they write "for 83% of companies, it’s not if a data breach will happen, but when." That fatalist attitude may be depressing, but it also should inspire realistic attitudes toward security.
A proactive (rather than reactive) stance is essential to protecting your company's data. By limiting exposure, identifying potential vulnerabilities, and shoring up your defenses, you can make it much harder for hackers to succeed.
Data breaches in 2022
As Winston Churchill famously said (or repeated after George Santayana, to be precise) "Those who fail to learn from history are doomed to repeat it." In cyber security, the same principle applies. By examining past data breaches, we can learn from the mistakes of others and make sure not to repeat them.
In 2022, there have been several major data breaches that remind us of the importance of proper security precautions.
Compromised employee accounts
Stolen credentials are now the most common reason for data breaches and the average attack can cost as much as $4.5 million, especially because they are so difficult to spot. Discovering that a password has been compromised can be like finding a needle in a haystack.
Some major brands experienced this kind of breach this year.
Uber
In September, Uber suffered a much more serious breach. Through a simple social engineering attack, a hacker gained access to an employee’s Slack account and then several other internal systems.
The bad actor (who said he was just 18 years old) admitted that he sent a text message claiming he was a corporate IT representative and simply asked for the password. Again, this wasn’t the first time that Uber was compromised. In 2016, they were hit with a ransom notice after millions of driver and rider account information was stolen.
These social engineering attacks could have been prevented if Uber had two-factor authentication enabled for all employee accounts. Multi-factor authentication (MFA) adds an extra layer of security by requiring a second form of identification, such as a fingerprint, in addition to a password.
A password manager would also have helped, by generating and storing strong passwords for all employee accounts.
LastPass
A password manager is the last company you want to announce something like this. In August, LastPass explained that a developer account had been compromised, leading to a breach.
While customer data was not taken as the breach was limited to a development environment, the company did admit that source code and technical information were taken. The threat was present for four days, and it led to LastPass investing further in threat modeling and vulnerability management.
This wasn’t the first time that they experienced a breach. In 2015, an attack compromised user email addresses, password reminders, and authentication hashes.
Session hijacking
Another common type of attack is session hijacking, in which a hacker takes over an active user session. This can happen if a user accidentally clicks on a malicious link or visits an infected website.
Once the attacker has control of the session, they can do anything the legitimate user can do within that session, including accessing sensitive data.
Kiwi farms
The notorious forum was breached earlier this year with a session hijack. It wasn’t just a random user that was compromised though – the attack successfully gained control of creator Joshua Moore’s administrator account. That led to a leak of basically all user data, including passwords, emails, and IP addresses.
To protect yourself from session hijacking, you can bind access to certain IP addresses (such as the address of a personal VPN server). However, this will only solve the problem partially.
You should also be careful about the links you click on and the websites you visit. You can ensure that you are protected from visiting malicious websites by using a DNS Firewall.
Two-factor bypass
While multi-factor authentication is one of the best ways to protect your accounts, it’s not perfect. There have been several high-profile cases of two-factor authentication being bypassed in the past year.
Crypto.com
What happens if a crypto exchange is compromised? Millions and millions of dollars are taken. That’s what happened in early 2022 when Crypto.com was hacked. Despite having mandatory two-factor authentication (2FA) for all users, it was not triggered when transactions were sent to the exchange.
More than $34 million was stolen through unauthorized transactions of Bitcoin and Ethereum.
This kind of attack could have been prevented if Crypto.com had used a hardware token, which is a physical device that generates a one-time code, instead of relying on SMS messages. After the event, the company committed to moving away from simple 2FA and toward "true multi-factor authentication."
Microsoft
Earlier this summer, cybersecurity researcher Mandiant posted a blog detailing a tactic from the Russian hacker group APT29. By first stealing (or brute forcing) credentials for dormant Microsoft accounts that were never properly set up, they can then create 2FA pushes that are sent to the hackers’ own devices.
From there, it’s a simple process of resetting passwords and taking over email accounts.
On the user side, it is important to create complex, long, unique passwords that password managers are able to generate and securely store. Then attackers will not be able to brute force passwords.
Scaling oversights
Some of the worst breaches we have ever seen are because of companies scaling too quickly. By loosening security controls or failing to properly vet third-party vendors to keep revenues high, they put themselves—and their customers—at risk.
Axie Infinity
Play-to-earn games seemed too good to be true, and for Axie Infinity – it was. Earlier this year, they were the target of one of the biggest crypto hacks in history after their system was compromised. More than $620 million was lost from Ronin, the bridge that was used to process Axie transactions.
While the major fault was one engineer's ambition – a phishing scheme disguised as a lucrative job offer granted access – the last door was left open because of rapid scaling.
A third-party company had been given access to help with a huge amount of transactions during the game's most popular period and that access had not been removed when it was no longer needed.
To prevent this in the future, companies need to carefully vet all third-party vendors before giving them access to any sensitive data. They should also have a process in place for regularly reviewing and removing access when it is no longer needed.
How to prevent (or at least limit) data breaches
A comprehensive security program is the best way to protect your data, but it takes time and resources to implement. If you can’t do it all at once, start with these basics:
- Restrict access to sensitive data to only those who need it
- Enable two-factor authentication for all employee accounts
- Use a password manager to generate and store strong passwords
- Regularly review and remove access of third-party applications
- Test your defenses with regular penetration tests
Additionally, a well-trained incident response team is essential for quickly and effectively dealing with a data breach. Don't be one of the 83% of companies who are just waiting for a data breach to happen. Be proactive about your security and you'll be in a much better position to weather the storm.