Skyrocketing data breaches bring incalculable losses to organizations and can cost cybersecurity executives their jobs.
Here we examine the top five places in 2019 where cybercriminals are stealing corporate and government data without ever getting noticed and then learn how to avoid falling victim to unscrupulous attackers.
48% of all corporate data is stored in the cloud compared to 35% three years ago, according to a 2019 Global Cloud Security Study by cybersecurity company Thales that surveyed over 3,000 professionals across the globe. Contrastingly, only 32% of the organizations believe that protecting data in the cloud is their own responsibility, counting on cloud and IaaS providers to safeguard the data. Worse, 51% of the organizations do not use encryption or tokenization in the cloud.
(ISC)² Cloud Security Report 2019 assets that 64% of cybersecurity professionals perceive data loss and leakage as the biggest risk associated with the cloud. Misuse of employee credentials and improper access controls are the top challenges for 42% of security professionals, while 34% struggle with compliance in the cloud, and 33% name lack of visibility into infrastructure security as their predominant concern.
Negligent and careless third-parties are, however, probably the most hazardous pitfall that remains largely underestimated and thus disregarded. In 2019, Facebook, Microsoft, and Toyota were mercilessly stigmatized by the media for losing millions of customer records due to third-party leaks or breaches.
Despite these alarming incidents, still few organizations have a well-thought, properly implemented, and continuously enforced third-party risk management program, most relying on paper-based questioners skipping practical verifications and continuous monitoring.
How to mitigate: train your team, implement an organization-wide cloud security policy, continuously run discovery of public cloud storage to maintain an up2date inventory of your cloud infrastructure.
Notorious Collection #1, revealed in 2019 by security expert Troy Hunt, is a set of email addresses and plaintext passwords totaling 2,692,818,238 rows. Anyone can anonymously purchase this data for Bitcoins without leaving a trace. Being one of the largest publicly known databases of stolen credentials, it is a mere slice of compromised data available for sale on Dark Web. Many organizations are hacked every day without being aware of this due to the complexity of the attacks or simple negligence, lack of resources or skills.
Targeted password re-use attacks and spear phishing are simple to launch and do not require expensive 0day exploits. Although trivial at first glance, they may be piercingly efficient. Most organizations do not have a consistent password policy across their corporate resources, deploying SSO only to their central infrastructure.
Secondary and auxiliary systems live their own lives, commonly with a poor or even missing password policy but with access to trade secrets and intellectual property. Given the multitude of such portals and resources, attackers meticulously try stolen credentials and eventually get what they seek.
Importantly, such attacks are often technically undetectable due to insufficient monitoring or simply because they do not trigger usual anomalies just letting users in. Experienced hacking groups will carefully profile their victims before the attack to login from the same ISP sub-network and during the same hours outsmarting even the AI-enabled IDS systems underpinned by shrewd security analysts.
How to mitigate: ensure digital assets visibility, implement holistic password policy and incident response plan, continuously monitor Dark Web and other resources for leaks and incidents.
According to 2019 research by a web security company ImmuniWeb, 97 out of 100 the world's largest banks have vulnerable websites and web applications. A wide spectrum of problems is attributed to uncontrolled usage of Open Source Software, outdated frameworks, and JS libraries, some of which contained exploitable vulnerabilities publicly known since 2011.
The same report revealed that 25% of e-banking applications were not even protected with a Web Application Firewall (WAF). Eventually, 85% of applications failed GDPR compliance tests, 49% did not pass the PCI DSS test.
In spite of the rise of Attack Surface Management (ASM) solutions, the majority of businesses incrementally struggle with the growing complexity and fluctuating intricacy of their external attack surfaces. Web applications dominate the list of abandoned or unknown assets being left by careless or overloaded developers.
Demo and test releases rapidly proliferate across an organization, sporadically being connected to production databases with sensitive data. The next releases rapidly go live, while the previous ones remain in the wild for months. Understaffed security teams routinely have no time to track such rogue applications, relying on the security policies that half of the software engineers have never read.
Even properly deployed web applications may be a time bomb if left unattended. Both Open Source and proprietary software make a buzz in Bugtraq with remarkable frequency bringing new and predominately easily-exploitable security flaws. With some exceptions, vendors are sluggish to release security patches compared to the speed of mass-hacking campaigns.
Most popular CMS, such as WordPress or Drupal, are comparatively safe in their default installations, but the myriad of third-party plugins, themes, and extensions annihilate their security.
How to mitigate: start with a free website security test for all your external-facing websites and continue with in-depth web penetration testing for the most critical web application and APIs.
Modern businesses now generously invest in mobile application security, leveraging secure coding standards built into DevSecOps, SAST/DAST/IAST testing, and RASP protection enhanced with Vulnerability Correlation solutions. Sadly, most of these solutions tackle only the visible tip of the iceberg, leaving mobile application backend untested and unprotected.
While most of the APIs used by the mobile application send or receive sensitive data, including confidential information, their privacy and security are widely forgotten or deprioritized, leading to unpardonable consequences.
Likewise, large organizations commonly forget that previous versions of their mobile apps can be easily downloaded from the Internet and reverse-engineered. Such legacy applications are a true Klondike for hackers searching for abandoned and vulnerable APIs commonly still capable of providing access to an organization's crown jewels in an uncontrolled manner.
Eventually, a great wealth of attacks become possible, from primitive but highly efficient brute-forcing to sophisticated authentication and authorization bypasses used for data scraping and theft. Usually, the most dangerous attacks, including SQL injections and RCEs, reside on the mobile backend side. Being unprotected even by a WAF, they are low-hanging fruit for pragmatic attackers.
How to mitigate: build holistic API inventory, implement software testing policy, run a free mobile app security test on all your mobile apps and backends, conduct mobile penetration testing for critical ones.
Agile CI/CD practices are a great business enabler; however, if inadequately implemented, they swiftly morph into a disaster. Within this context, public code repositories are often the weakest link undermining organizational cybersecurity efforts.
A recent example comes from the banking giant Scotiabank that reportedly stored highly sensitive data in publicly open and accessible GitHub repositories, exposing its internal source code, login credentials, and confidential access keys.
Third-party software developers considerably exacerbate the situation in an attempt to provide the most competitive quote to unwitting and somewhat naïve customers. Cheap software is obviously not without substantial drawbacks, and poor security tops them.
While few organizations manage to keep control over the software code quality and security by conducting automated scanning and a manual code review, virtually none are capable of monitoring how the source code is being stored and protected while the software is being developed and especially afterward.
Human mistakes unsurprisingly predominate the space. Even exemplary organizations with mature and prof-tested security policies awkwardly slip because of human factors. Tough deadlines dictated by economic realities lead to overburdened and exhausted programmers who innocently forget to set a proper attribute on a newly created repository letting the troubles in.
How to mitigate: implement a policy addressing code storage and access management, enforce it internally and for third-parties, continuously run public code repositories monitoring for leaks.
Following this mitigation advice may save you countless sleepless nights and many millions for your organization. And lastly, do share information about Attack Surface Management (ASM) with your industry peers to enhance their security awareness and cybersecurity resilience.
Here we examine the top five places in 2019 where cybercriminals are stealing corporate and government data without ever getting noticed and then learn how to avoid falling victim to unscrupulous attackers.
1. Misconfigured Cloud Storage
48% of all corporate data is stored in the cloud compared to 35% three years ago, according to a 2019 Global Cloud Security Study by cybersecurity company Thales that surveyed over 3,000 professionals across the globe. Contrastingly, only 32% of the organizations believe that protecting data in the cloud is their own responsibility, counting on cloud and IaaS providers to safeguard the data. Worse, 51% of the organizations do not use encryption or tokenization in the cloud.
(ISC)² Cloud Security Report 2019 assets that 64% of cybersecurity professionals perceive data loss and leakage as the biggest risk associated with the cloud. Misuse of employee credentials and improper access controls are the top challenges for 42% of security professionals, while 34% struggle with compliance in the cloud, and 33% name lack of visibility into infrastructure security as their predominant concern.
Negligent and careless third-parties are, however, probably the most hazardous pitfall that remains largely underestimated and thus disregarded. In 2019, Facebook, Microsoft, and Toyota were mercilessly stigmatized by the media for losing millions of customer records due to third-party leaks or breaches.
Despite these alarming incidents, still few organizations have a well-thought, properly implemented, and continuously enforced third-party risk management program, most relying on paper-based questioners skipping practical verifications and continuous monitoring.
How to mitigate: train your team, implement an organization-wide cloud security policy, continuously run discovery of public cloud storage to maintain an up2date inventory of your cloud infrastructure.
2. Dark Web
Notorious Collection #1, revealed in 2019 by security expert Troy Hunt, is a set of email addresses and plaintext passwords totaling 2,692,818,238 rows. Anyone can anonymously purchase this data for Bitcoins without leaving a trace. Being one of the largest publicly known databases of stolen credentials, it is a mere slice of compromised data available for sale on Dark Web. Many organizations are hacked every day without being aware of this due to the complexity of the attacks or simple negligence, lack of resources or skills.
Targeted password re-use attacks and spear phishing are simple to launch and do not require expensive 0day exploits. Although trivial at first glance, they may be piercingly efficient. Most organizations do not have a consistent password policy across their corporate resources, deploying SSO only to their central infrastructure.
Secondary and auxiliary systems live their own lives, commonly with a poor or even missing password policy but with access to trade secrets and intellectual property. Given the multitude of such portals and resources, attackers meticulously try stolen credentials and eventually get what they seek.
Importantly, such attacks are often technically undetectable due to insufficient monitoring or simply because they do not trigger usual anomalies just letting users in. Experienced hacking groups will carefully profile their victims before the attack to login from the same ISP sub-network and during the same hours outsmarting even the AI-enabled IDS systems underpinned by shrewd security analysts.
How to mitigate: ensure digital assets visibility, implement holistic password policy and incident response plan, continuously monitor Dark Web and other resources for leaks and incidents.
3. Abandoned and Unprotected Websites
According to 2019 research by a web security company ImmuniWeb, 97 out of 100 the world's largest banks have vulnerable websites and web applications. A wide spectrum of problems is attributed to uncontrolled usage of Open Source Software, outdated frameworks, and JS libraries, some of which contained exploitable vulnerabilities publicly known since 2011.
The same report revealed that 25% of e-banking applications were not even protected with a Web Application Firewall (WAF). Eventually, 85% of applications failed GDPR compliance tests, 49% did not pass the PCI DSS test.
In spite of the rise of Attack Surface Management (ASM) solutions, the majority of businesses incrementally struggle with the growing complexity and fluctuating intricacy of their external attack surfaces. Web applications dominate the list of abandoned or unknown assets being left by careless or overloaded developers.
Demo and test releases rapidly proliferate across an organization, sporadically being connected to production databases with sensitive data. The next releases rapidly go live, while the previous ones remain in the wild for months. Understaffed security teams routinely have no time to track such rogue applications, relying on the security policies that half of the software engineers have never read.
Even properly deployed web applications may be a time bomb if left unattended. Both Open Source and proprietary software make a buzz in Bugtraq with remarkable frequency bringing new and predominately easily-exploitable security flaws. With some exceptions, vendors are sluggish to release security patches compared to the speed of mass-hacking campaigns.
Most popular CMS, such as WordPress or Drupal, are comparatively safe in their default installations, but the myriad of third-party plugins, themes, and extensions annihilate their security.
How to mitigate: start with a free website security test for all your external-facing websites and continue with in-depth web penetration testing for the most critical web application and APIs.
4. Mobile Applications' Backends
Modern businesses now generously invest in mobile application security, leveraging secure coding standards built into DevSecOps, SAST/DAST/IAST testing, and RASP protection enhanced with Vulnerability Correlation solutions. Sadly, most of these solutions tackle only the visible tip of the iceberg, leaving mobile application backend untested and unprotected.
While most of the APIs used by the mobile application send or receive sensitive data, including confidential information, their privacy and security are widely forgotten or deprioritized, leading to unpardonable consequences.
Likewise, large organizations commonly forget that previous versions of their mobile apps can be easily downloaded from the Internet and reverse-engineered. Such legacy applications are a true Klondike for hackers searching for abandoned and vulnerable APIs commonly still capable of providing access to an organization's crown jewels in an uncontrolled manner.
Eventually, a great wealth of attacks become possible, from primitive but highly efficient brute-forcing to sophisticated authentication and authorization bypasses used for data scraping and theft. Usually, the most dangerous attacks, including SQL injections and RCEs, reside on the mobile backend side. Being unprotected even by a WAF, they are low-hanging fruit for pragmatic attackers.
How to mitigate: build holistic API inventory, implement software testing policy, run a free mobile app security test on all your mobile apps and backends, conduct mobile penetration testing for critical ones.
5. Public Code Repositories
Agile CI/CD practices are a great business enabler; however, if inadequately implemented, they swiftly morph into a disaster. Within this context, public code repositories are often the weakest link undermining organizational cybersecurity efforts.
A recent example comes from the banking giant Scotiabank that reportedly stored highly sensitive data in publicly open and accessible GitHub repositories, exposing its internal source code, login credentials, and confidential access keys.
Third-party software developers considerably exacerbate the situation in an attempt to provide the most competitive quote to unwitting and somewhat naïve customers. Cheap software is obviously not without substantial drawbacks, and poor security tops them.
While few organizations manage to keep control over the software code quality and security by conducting automated scanning and a manual code review, virtually none are capable of monitoring how the source code is being stored and protected while the software is being developed and especially afterward.
Human mistakes unsurprisingly predominate the space. Even exemplary organizations with mature and prof-tested security policies awkwardly slip because of human factors. Tough deadlines dictated by economic realities lead to overburdened and exhausted programmers who innocently forget to set a proper attribute on a newly created repository letting the troubles in.
How to mitigate: implement a policy addressing code storage and access management, enforce it internally and for third-parties, continuously run public code repositories monitoring for leaks.
Following this mitigation advice may save you countless sleepless nights and many millions for your organization. And lastly, do share information about Attack Surface Management (ASM) with your industry peers to enhance their security awareness and cybersecurity resilience.