The question:
\n<\/p>
What did you do when you were faced with a critical data breach?<\/p>\n<\/blockquote>\n
Daniel Ruf<\/a><\/strong>, Developer and Security Consultant<\/strong><\/h2>\n
First responses are critical to contain a data breach. Daniel Ruf was contracted to work for one anonymous project owner. Ruf described<\/a> the first thing that happened that led to the discovery of a data breach. His quick and careful actions are a great example of how to handle a breach.<\/p>\n
\u201cOne evening, through a system monitoring alert, I became aware of a 99 percent CPU usage of our root server which impacted the availability of other websites using the same server. I informed the project owner of the hacked website, then started my first analysis. Next, I blacklisted the IP address of the attacker, blocked system access, then killed the suspicious processes. I archived as many files as I could from the project owner\u2019s web server for further analysis and conducted a system integrity check, then informed the project owner.<\/p>\n
\u201cThe culprit? A hacked CMS instance. I wasn\u2019t informed about the creation of this instance, which then used different webshells to start attacks, including cryptojacking<\/a> (illegal cryptomining) which used up all our available computing resources.\u201d<\/p>\n
The major factors that led to the breach were the use of weak and reused passwords and an overall lack of robust security measures. Don\u2019t let this happen to you!<\/p>\n
Teagan M<\/a><\/strong>, Security Practitioner, Founder Green Duck Consulting, LLC<\/strong><\/h2>\n
Teagan described the data breach she dealt with. This is a common way that people can have their data compromised at work. Smaller companies and start-ups must be careful to be more thorough about their security, and realize that it\u2019s not just a problem that can be resolved with technology alone.<\/p>\n
\u201cAn authorised source had access to an email environment that was unauthorized and lasted, the first time, for four weeks. This company was very disorganized and treated security as a compliance issue instead of an actual business function.<\/p>\n
\u201cThe credentials to the user account were most likely captured by a phishing attack, and the attackers set up an email forward rule to send all emails to a Gmail account controlled by the attacker. The second time it happened, it was the same thing but I caught it much sooner. It was after the second event the company finally followed my recommendation to implement 2FA (two-factor authentication). That event still resulted in an exposure which required the company to report the incident under state data breach laws.<\/p>\n
\u201cThis was a small company that was growing fast. They didn\u2019t have the leadership in place they needed, nor did they want to properly compensate the necessary security talent. They burned through many security analysts due to weak and inexperienced security C-level management and a desire to appease audit requirements instead of securing the business.<\/p>\n
\u201cThey considered security to be a technology problem and continued buying services and equipment with no clear plan about how to integrate or manage any of it. They took their strategy from sales reps instead of properly planning their own path.<\/p>\n
\u201cI worked closely with the C-level leadership to try to improve their program and was met with resistance the entire time. They\u2019d give security \u2018lip service\u2019 but no action or empowerment. Things started to change slightly towards the end of my tenure there, but by that point I\u2019d been burned out and needed to leave to preserve my own mental state.\u201d<\/p>\n
This naivety Teagan dealt with is one of the reasons why data breaches are so alarmingly frequent.<\/p>\n
\u2018<\/strong>BM<\/a><\/strong>\u2018<\/strong>, Former Infosec Analyst<\/strong><\/h2>\n
\nIt\u2019s important to remember that large companies need to improve their data security too. BM shares a useful lesson to help anyone who secures data in any industry.<\/p>\n\u2018BM\u2019 previously worked as an analyst, security engineer and later a consultant, for multiple companies. They\u2019ve dealt with post-breach data forensics, incident response and triage work. \u2018BM\u2019 described a breach they dealt with.<\/p>\n
\u201cWhen I was a consultant, I was sent to a Fortune 500 company for an incident response event. Their system was completely compromised and the attacker was threatening the CEO of the company to expose the breach. We immediately jumped on a flight.<\/p>\n
\u201cFor a full week, my manager and I reviewed the security logs and developed a remediation plan for the company. Although the company was very valuable, they had a relatively small IT staff. Much of our work was educating the team about exactly what happened, reviewing their logs, and working with them to upgrade their infrastructure. For example, they were running older versions of Windows on their entire network.<\/p>\n
\u201cFortunately, the incident was determined to be minor. It was pretty much a \u2018script kiddie\u2019 using easily available software to exploit unpatched versions of Windows. This turned into a full week of over twenty-hour days and numerous conversations to determine what could\u2019ve been done better.\u201d<\/p>\n
Over twenty-hour days? That\u2019s ridiculous! It\u2019s important to educate all of your employees about security awareness<\/a>. And also to make more effective use of your security staff \u2013 don\u2019t let it become a crisis management situation for external consultants to resolve.<\/p>\n
Sameep Agarwal<\/a><\/strong>, Information Security Consultant and Penetration Tester<\/strong><\/h2>\n
I\u2019ve spoken with Sameep before about his data breach experiences \u2013 he\u2019s experienced several in his career. This story illustrates how personal conflicts can interfere with incident response and why it should be overcome.<\/p>\n
\u201cA server was provided by the vendor for hosting a specific web application in a test zone. One day, flags were raised by the security team over an untested and unverified application. It was decided that since the hosting was being set up in a hurry, server hardening activity, which requires at least five working days, couldn\u2019t be completed. So internet access to the test zone server was never allowed in the initialization.<\/p>\n
\u201cSince the vendor representative wasn\u2019t present at the client\u2019s location, server access was requested for remote administration. This was also raised as a security concern, but was overridden by the federal agency.<\/p>\n
\u201cOperations on the targeted server started. After three days, a few updates from Microsoft were installed without verification of the update bundle. The virtual server was residing on obsolete out-of-life hardware taken from a previous government project which had many critical flaws. Since the physical server was out of life, it was not recorded in the federal agency\u2019s inventory. This meant intrusion prevention and anti-malware clients were not installed but it was accessible on their network infrastructure.<\/p>\n
\u201cThe attacker installed Telegram\u2019s desktop application, and joined the Iranian hacker group on Telegram. They started downloading applications for anonymity like proxy tools, VPN and bots. Later, the attacker added many dictionaries and combo lists containing common passwords for applications for cracking social media accounts like Instagram and gaming accounts like Fortnite.<\/p>\n
\u201cThe affected server traffic wasn\u2019t directed through the firewall because of exceptions made by the federal agency override. And because of the exception, the data breach couldn\u2019t be easily detected.<\/p>\n
\u201cThe intelligence agency investigation concluded that the blue team (defensive security specialists) made many exceptions based on personal relations to please the federal agency head. The key security findings of the red team (security testing specialists) were ignored time and again. The investigator suggested a deep probe on the intentions of insiders, and the psychology which allowed the attacks to happen, even after prior threat intelligence<\/a> was available a month in advance.\u201d<\/p>\n
People are often the weakest link in security. It\u2019s important to have IT staff who have integrity and the right level of security awareness training<\/a>.<\/p>\n
How to protect your business from data breaches<\/h2>\n
![\"security](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2019\/10\/28114811\/024_security_bytes_data_breaches__inline-1024x768.jpg\")