Data Breaches: What Can and Cannot Be Done
Experts agree that as long as there is data, there will be people trying to steal it. For every defense mechanism put in place, there is someone who will find a way to get around it. Constant vigilance, education of the workforce, and management support are all necessary to implement effective security policies. While a well-trained IT staff is key to protecting data, all employees must understand the importance of protecting company assets, including data.
A data breach is the transfer of sensitive information, thought to be secure, to an unintended, untrusted location. Data breaches are omnipresent. Whether it's at a corporate or personal level, the threat of information theft is constant. While we hear about high-profile data breaches on the news, data breaches occur almost daily.
The media would have everyone believe that the only industry threatened by hackers is retail business (see Target and Home Depot). The truth of the matter is, most retailers, having seen the impact of cyber-crimes on its victims, have beefed up their security, and attacks on that industry is trending downward. However, government agencies and military contractors, along with a myriad of other industries, find themselves dealing with cyber espionage. Threat vectors now cover all angles, and the landscape is always changing. The obvious challenge is keeping up to date with threats that are in a constant state of flux. Knowledge of the different types of attacks is critical, as is a plan for taking action before, during, and after an attack.
This paper will focus on data breaches at the corporate/enterprise level. We will look at changes in the threat environment and attack continuum, and what can and can't be done about data breaches.
What Has Changed?
Cyber-attacks have been around for as long as there have been networks. In fact, the Internet was developed to provide an alternative should conventional communications networks in the United States come under attack.
The first computer worm was released in 1988 and shut down 10 percent of computers connected to the Internet. The earliest attacks went unnoticed because before the mid-'90s, the Internet was primarily used by academia and connected mainframes. It wasn't until 1995 that a virus, specifically attacking Microsoft Word documents, was released. And it wasn't for another seven years that Bill Gates announced he would secure Windows.
Until fairly recently, attacks were perpetrated by loosely organized hackers consisting of worms, viruses, and spy/malware. Many of the attacks were exercises in system access, data destruction, altering email systems, or installing relatively harmless spyware programs.
The landscape has changed dramatically. Hackers are more organized, profit-driven, and often nation-state sponsored. As the Internet has become more profitable, attacks have become more sophisticated. Some of the more common attack methods and reasons for data loss are listed below (discussion of defense techniques and their effectiveness will follow in later sections):
- Advanced Persistent Threat (APT) – a concentrated attack by allied hackers focused on a single target. It infects a system and lays dormant and leaves few traces when done. These attacks are generally after the intellectual property of technology companies.
- Distributed Denial of Service (DDoS) – typically an attack on an Internet domain. Huge amounts of data flood a system until it is brought to its knees. Legitimate site requests are lost, or the site becomes too slow to function properly. This may not necessarily involve a loss of data, but the cost to its victims is substantial.
- Cross Platform Malware (CPM) – malware used to be the concern of those running Windows operating systems. That has changed with emergence of malware targeting Java, Linux, and OSX.
- Metamorphic and Polymorphic Malware – malware that has the ability to change code as it works its way through a system. Each version of the code makes permanent changes to its code, but each succeeding version functions the same way as the original. The longer it resides on a system, the more difficult it becomes to detect and remediate.
- Phishing – it is what it sounds like. A perpetrator is out there looking to catch a fish. You'll receive an email that looks like it's from your bank, or some other trusted party, asking you to visit their website to update your personal information. The email will include a link to what you think is their website. It will look exactly like the merchant's website. But if you take the time to look at the URL, it will have nothing to do with the website you thought you were visiting. Once you've entered your personal information, the hook is set and they reel you in.