WHAT IS A SECURITY BREACH?

In cybersecurity, a security breach is a successful attempt by an attacker to gain unauthorized access to an organization’s computer systems bypassing the security mechanisms. Breaches may lead to theft of sensitive data, corruption or sabotage of data or IT systems, or actions intended to deface websites or damage reputation.

Some countries have laws exposing the companies to fines or penalties if a security breach occurs, and sensitive information is affected.

Let’s discuss a few terms that are thought of as synonyms of a security breach but are different.

Security Breach vs. Data Breach
A Security Breach refers to the breach of any organizational system, whereas a Data Breach is when data is stolen, destroyed, or even accessed with malicious intent.

Security Breach vs. Security Incident
A security incident represents an attacker’s attempt to access or inflict harm to organizational systems, just like a Security Breach, but doesn’t result in an actual breach. But if a Security Incident grants the attacker access to protected systems, it may qualify as a Security Breach. These definitions vary organization to organization.

WHAT ARE THE COMMON TYPES OF SECURITY BREACHES?

The most common types of security breaches are:

1. Viruses, Spyware, and other malware
A virus is some code written to enter the system to damage or alter the data. It can also replicate itself. Spyware is a malicious program installed in the user’s system with/without permission to gather information about the user. It can also download and install other programs on the user’s system. Malware is a word used to refer to various types of malicious software.

Cybercriminals might often use one of the above mentioned to break into an organization’s protected network.

For example, an employee receives an email with an attachment that looks authentic. He/she might download that attachment, which might lead to the download of a malicious program that will now infect the employee’s system and further might inflict harm upon the organization’s network. This is known as phishing or can also be referred to as spear phishing when the target is highly specific.

2. Insider Threats
An insider threat is a threat posed by individuals like disgruntled employees, former employees, or business partners who use their access to some confidential information to damage the company in any possible way. A study states that insider threats are costly to a company, and most are not reported externally.

3. DoS & DDoS
A Denial of Service(Dos) is an attack when a hacker makes a website or a system unavailable by flooding it with illegitimate traffic. Distributed Denial of Service(DDoS) is a DoS attack where the traffic seems to be coming from various sources.

DoS and DDoS aim to make the business unavailable, leading to huge losses, and usually target government or financial websites.

 
Enhance Your Knowledge With The “Preventing Data Breaches with A1Logic” Course Today >>

 

MAJOR CYBERSECURITY BREACHES IN 2020

Cybersecurity breaches in 2020 have doubled up since 2019, so here are some of the biggest cybersecurity breaches in 2020 so far:

1. Twitter Bitcoin Scam

Date: 15th July 2020
Target: High profile Twitter verified account holders
Cause: Coordinated social engineering attacks(Phishing)

According to reports, 130 high-profile Twitter accounts were compromised to promote a Bitcoin scam by cybercriminals. They were able to alter the account and post tweets directly as they had gained access to Twitter’s administrative tools using social engineering techniques. Three individuals were arrested for wire fraud, money laundering, identity theft, and unauthorized access with respect to the scam.

The charitable scam tweet asked users to send Bitcoin currency to specific cryptocurrency wallets promising to return double the amount to the user. Within minutes, 320 transactions worth $110,000 were already made to one of the wallet addresses. This hack is considered to be the worst major social media platform hack until now. Twitter’s security and the hack are being investigated by the FBI and other law enforcement agencies.

2. Marriott Data Breach

Date: End of Feb 2020
Target: 5.2 million hotel guests’ data
Cause: Credential stuffing & Social engineering attack (Phishing)

According to reports, one of Marriott’s hotel chain’s network was hacked by cybercriminals, and they obtained login credentials for two employees. They accessed the guest list and obtained other personal information like name, date of birth, phone number, language preference, and loyalty account number.

Marriott stated, “While our investigation is continuing, we currently have no reason to assume that the details involved included passwords or PINs for Marriott Bonvoy accounts, payment card details, passport information, national IDs, or driver’s license numbers.”

Marriott launched a special website for the affected members and contacted them via email. They launched a program to track a member’s personal information that could have been compromised during the hack.

3. MGM Data Dump

Date: February 2020
Target: 142 million hotel guests data (including high-profile people like Justin Bieber and Jack Dorsey)
Cause: Unauthorized access due to misconfiguration of cloud services & exploited a third-party data leakage monitoring service provider to gain access to MGM’s data.

According to reports, MGM Grand Resort was hacked by cybercriminals, and they obtained a massive data dump consisting of name, address, date of birth, and phone number. These cybercriminals sold these dumps on the darknet market for $2,939 worth of Bitcoin (BTC) or Monero (XMR) and also published a free sample for people to see. Sellers claim to have 142 million records; however, the resort’s security group disagreed and claimed that no type of financial data was compromised.

4. Zoom Credentials for sale

Date: April 2020
Target: 500,000 Zoom account credentials
Cause: Credential stuffing

According to reports, Zoom credentials were being sold on dark web forums. High-profile people’s Zoom credentials were expensive, whereas some zoom credentials were inexpensive. Hackers accessed databases containing credentials that were compromised previously from dark web supermarkets and used them for the hack as people tend to reuse passwords for a long time.

5. Magellan Health

Date: April 2020
Target: 365,000 patients data
Cause: Ransomware attack & Social engineering attack (Phishing)

According to reports, Magellan Health, a Fortune 500 company, was victim to a sophisticated cyber-attack. Hackers first exfiltrated data before deploying the ransomware payload, and through phishing, they were able to gain access to the system five days before the ransomware was deployed. Hackers employed malware to steal employee credentials and passwords to gain access to the affected servers. Patients’ health-related data, such as health insurance account data and treatment information, was compromised. The attack was limited to a single corporate server, but it also compromised current employees’ personal information.

HOW TO PREVENT SECURITY BREACHES?

Here are some simple yet the most effective steps that can prevent security breaches in an organization.

1. Good password policy
Choosing a strong and secure password is the best security measure one can follow. Maintain an unpredictable and complex password. Never reuse a password and change the password frequently.

2. Update regularly
Software Updates significantly improve the device’s security. That’s why the company insists on updating the device as soon as a new update is out because it automatically prevents certain threats.

3. Router Security
Cybercriminals usually compromise data by breaking into the networks that are not secure enough. To secure all the network devices, encryption should be enabled on wireless traffic, and IP access should be limited.

4. Proper data backup
Data should be backed up securely to be safe from any malicious attack. Data is the most precious asset of many organizations.

5. Security awareness training for employees
Security awareness training should be organized regularly as recent surveys state that employees are the weakest link in the data security chain. After training, a few employees may not click on suspicious emails.

6. Breach response plan
For an organization to quickly respond to a security breach, the organization should have a well-documented security breach response plan that they will follow in critical situations to restore the system to its full operability.

7. Installing centralized firewalls
An aptly configured firewall is a barrier between networks with different trust levels. It’s advised to keep a local firewall on at all times to protect the network against malicious attacks as firewalls are often the first line of defense.

8. Encrypted transmission
Thanks to cryptography, data access can be restricted, and even if this data is stolen, it will be of no use to a person who doesn’t possess a key to decrypt it. Encryption significantly helps to mitigate the damages of a security breach.

9. Antivirus software
To protect and monitor the servers completely, one must use updated antivirus software to prevent previously seen malicious activities.

10. Active monitoring
One must spot potential dangers that could result in a security breach by continuously identifying and analyzing suspicious activities. Monitoring the network on a regular basis leads to sustaining a good reputation.

HOW TO RESPOND TO A SECURITY BREACH?

Incident Response (IR) is the practice of preparing an organization for a security or data breach through various essential steps. Every incident is unique, and an incident responder must respond to different situations appropriately. Therefore it requires an easily executable but also carefully documented incident response procedure.

Various organizations have different steps in their incident response procedure, but the one mentioned below is prevalent. An incident response procedure consists of six steps:

1. Preparation
During simulated incident tests, careful analysis should be performed to create an incident response timeline that allocates the most appropriate stakeholder’s responsibilities.

An incident response plan includes analyzing the IR resources a company has, such as its protocol analyzers, network diagrams, etc. and should prepare an IR Tool Kit ready to use in critical situations.

2. Identification
In an organization, the relative defenses should be active so that the compromised defenses’ indicators are instantly identified. Identifiers like unexpected patching activities within the network, any signs of DDoS activity, suspicious file changes, a sudden increase in database dumps, and unusual login attempts should also be used by companies to identify the network’s potential threats. If the indicators aren’t displayed in the security system, then the IT Security team has to review their systems further.

3. Containment
Containment of the security breach directly depends upon how confident an organization is about the incident being identified on their security systems. Once the incident is identified, then the aim is to contain the incident by following the organization’s actions.

4. Eradication
Eradication means the elimination of the cause, the actual incident, and the compromise itself. This stage often overlaps with the containment stage. Eradication steps in the IR procedure include removing the attacker from the network and preventing reentry by deleting a malware, disabling breached user accounts, and identifying and mitigating vulnerabilities. After the eradication steps are performed successfully, the eradication is verified.

5. Restoration
A detailed recovery plan should be prepared in advance to speed up the restoration process. Systems should undergo an external penetration test to check if the restored fixes are sufficient for the system’s operability and security.

6. Lessons Learned
This is the most important stage of the IR procedure, as this may prevent incidents from taking place in the future if the lessons are learned thoroughly. This stage involves:

a) Performing a post-incident review to identify the actions taken.
b) Documenting the lessons learned and communicating with respective stakeholders.
c) Updating and amending the existing IR plan to apply the lessons learned.

SUMMARY

This article gives us the utmost knowledge about cybersecurity breaches comprising topics like common types of security breaches, major security breaches, how to prevent security breaches, and how to respond to security breaches.


REFERENCES:

https://www.exabeam.com/dlp/security-breach/
https://www.bsigroup.com/en-GB/blog/Cybersecurity-and-Information-Resilience-Blog/Incident-Response-Process-Explained/
https://www.globaldatasentinel.com/the-latest/different-types-of-security-breaches/
https://securityboulevard.com/2020/08/5-biggest-data-breaches-of-2020-so-far/