Robert S. Mueller II is well-versed in writing speeches. The former Director of the FBI is well known for his former position and for providing fodder for many tech articles' opening lines. Who are we not to quote his infamous line, "There are only two types of companies, those that have been hacked and those that will be hacked." According to Mueller, hacking incidents are rampant, and it's only a matter of time before you are affected in some form. This may occur through a data breach for many organizations, where their data is compromised. Let's take a closer look at some of the different causes of data breaches.
This blog will cover the following:
A vulnerability is a weakness or hole in your software, which can be a design flaw or implementation bug, providing attackers with unauthorized access. The Common Vulnerabilities and Exposure (CVE) Program lists hundreds of disclosed cybersecurity vulnerabilities and is used as a reference point when identifying known vulnerabilities.
However, many of these vulnerabilities go unfixed for an extended period or are still being added unknowingly to software.
Data breaches most commonly occur through human error. Human errors are unintentional actions or lack of activities that allow a security breach. These actions and activities include the following:
Use of weak passwords
Mistakenly shared data
Phishing attacks
According to the UK's National Centre for Cyber Security's 2019 report, 123456 was the most hacked password (using data published on Have I Been Pwned). Other bad password habits include using the same password for multiple services and sharing passwords and account details with others (how many people are you sharing your Netflix account with?).
A typical corporate threat occurs through accidentally sharing information with the wrong recipient. Mis-delivery is also a cause of security breaches.
Phishing is a fraudulent attempt to obtain sensitive information or data from the victim by acting as a trustworthy entity in an electronic communication. Verizon's 2020 Data Breach Investigation Report found that phishing is one of the top threat actions in data breaches and is used in 22% of data breaches.
Malware is malicious software designed to gain unauthorized access, steal data or damage your computer system. Malware is a collective name for several types of malicious software such as viruses, worms, spyware, and ransomware. To make it harder for antivirus software to detect malware, malicious actors make minor modifications to existing malware to avoid detection.
An insider threat is someone from within your organization performing acts with malicious intent. Insiders are the biggest threat to an organization's security. Insiders can take advantage of their higher level of access and the luxury of time they possess to extract data.
While preventing insider threats is nearly impossible, the principle of least privilege (only awarding the minimum necessary access rights) can limit the damage they can do when implemented.
Theft of devices that store sensitive information also leads to security breaches. The devices range from laptops to desktops, smartphones, tablets, hard drives, thumb drives, CDs & DVDs, or even servers.
The sensitivity of the data stolen from these devices can be unpredictable. The best solution is often to reduce the possibilities for using and removing data-storing devices from the worksite.
Shoulder Surfing, Dumpster Diving, and Tailgating are also types of physical attacks where the assailant may physically be in the vicinity and look over your shoulder to find out confidential data, look in your trash for computer equipment or confidential information, or enter a building unauthorized by following someone else in who has credentials.
While it may be difficult to manage physical attacks, insider threats, and human error, we can help take the slog out of detecting vulnerabilities in your software. Learn more about protecting your data and implementing DevSecOps at the DevSecOps Academy.
"There are only two types of companies, those that have been hacked and those that will be hacked." - Robert S. Mueller II