Five Places Hackers Are Discreetly Stealing Your Data
We’re all-too accustomed to handing over our data to service providers; be it financial institutions or entertainment providers, the practice of handing over sensitive personally-identifiable information (PII) is commonplace. The same too can apply to organisations that are responsible for keeping this data safe, however, complacency in this particular area can prove disastrous, as authors of the Stealth Report have pointed out in their latest publication. “Skyrocketing data breaches bring incalculable losses to organizations can cost cybersecurity executives their jobs,” they state, adding that the purpose of their latest report was to “examine the top five places in 2019 where cybercriminals are stealing corporate and government data without ever getting noticed and then learn how to avoid falling victim to unscrupulous attackers.”
“Many organisations are hacked every day without being aware of this due to the complexity of the attacks or simple negligence, lack of resources or skills.”
Misconfigured Cloud Storage
According to the report, “48% of all corporate data is stored in the cloud, compared to 35 three years ago according to a 2019 Global Cloud Security Study by Thales that surveyed over 3,000 professionals across the globe. Contrastingly, only 32% of organisations believe that protecting data in the cloud is their own responsibility, counting on cloud and IaaS providers to safeguard the data. Worst, 51% of the organisations do not use encryption or tokenization in the cloud.”
Authors of the report also mention research put forward by (ISC)²’s 2019 Cloud Security Report which states that 64% of cybersecurity professionals believe data loss and leakage are the biggest risks with cloud storage. “Misuse of employee credentials and improper access controls are the top challenges for 42% of professionals, while 34% struggle with compliance in the cloud, and 33% name lack o visibility into infrastructure security as their predominant concern.”
The report also cites Facebook, Microsoft and Toyota as victims that were “mercilessly stigmatized by the media or losing millions of customer records due to third-party leaks or breaches.” Despite the warnings, “few organizations have a well-thought, properly implemented, and continuously enforced third-party risk management program, most relying on paper-based questionnaires skipping practical verifications and continuous monitoring,” the report says.
How to mitigate: “Train your team, implement an organisation-wide cloud security policy, continuously run discovery of public cloud storage to maintain an up-to-date inventory of your cloud infrastructure.”
The Dark Web
Earlier this year, Troy Hunt, a security expert released ‘Notorious Dump #1’, which was a set of email addresses and passwords set in plain-text which totaled nearly 2.7 billion rows of data. The extremely valuable treasure-trove of data was accessible to anyone willing to part with their bitcoin, and is one of the largest publicly-known databases in existence. “Many organisations are hacked every day without being aware of this due to the complexity of the attacks or simple negligence, lack of resources or skills.”
“Targeted password re-use attacks and spear phishing are simple to launch and do not require expensive zero-day exploits. Although trivial at first glance, they may be piercingly efficient. Most organisations do not have a consistent password policy across their corporate resources, deploying SSO only to their critical infrastructure.” The report also states that “given the multitude of such portals and resources, attackers meticulously try stolen credentials and eventually get what they seek.”
How To Mitigate: “ensure digital assets visibility, implement holistic password policy and incident response plan, continuously monitor Dark Web and other resources for leaks and incidents.”
Abandoned and Unprotected Websites
Research published by ImmuniWeb this year claimed that 97 out of 100 of the world’s largest banks have vulnerable websites and web applications. The same report mentions that 25% of e-banking apps weren’t protected with a web-application-firewall (WAF) and 85% of these applications failed the GDPR compliance tests. “In spite of the rise of attack surface management solutions, the majority of businesses incrementally struggle with the growing complexity and fluctuating intricacy of their external attack surfaces. Web applications dominate the list of abandoned or unknown assets being left by careless or overloaded developers,” the Threat Report states.
“With some exceptions, vendors are sluggish to release security patches compared to the speed of mass-hacking campaigns.”
“Even properly deployed web applications may be a time bomb if left unattended. Both open-source and proprietary software make a buzz in Bugtraq with remarkable frequency bringing new and predominantly easily-exploitable security flaws. With some exceptions, vendors are sluggish to release security patches compared to the speed of mass-hacking campaigns.” The report also makes an example of Wordpress, a popular CMS site, which are “comparatively safe in their default installations, but the myriad of third-party plugins, themes and extensions annihilate their security.”
How To Mitigate: “start with a free website security test for all your external-facing websites and continue with in-dept web penetration testing for the most critical web application and APIs.”
Mobile Applications’ Backends
While the report states that “modern businesses now generously invest in mobile application security, leveraging secure coding standards… most of these solutions tackle only the visible tip of the iceberg, leaving mobile application backend untested and unprotected.”
According to the authors, “while most of the APIs used by the mobile application send or receive sensitive data, including confidential information, their privacy and security are widely forgotten or deprioritized, leading to unpardonable consequences. Likewise, large organizations commonly forget that previous versions of their mobile apps can be easily downloaded from the internet and reverse-engineered. Such legacy applications are true Klondie for hackers searching for abandoned and vulnerable APIs commonly still capable of providing access to an organization’s crown jewels in an uncontrolled manner.”
How to Mitigate: “build holistic API inventory, implement software testing policy, run a free mobile app security test on all your mobile apps and backends, conduct mobile penetration testing for critical ones.”
Public Code Repositories
Public code repositories are often the weakest link that undermines an organisation’s ability to stay protected online. The report cites a recent example of Scotiabank, that reportedly stored extremely sensitive data in a publicly-accessible GitHub repository, which exposed its internal source code, login credentials and confidential access keys.
Cheap software is obviously not without substantial drawbacks, and poor security tops them.”
“Third-party software developers considerably exacerbate the situation in an attempt to provide the most competitive quote to unwitting and somewhat naive customers. Cheap software is obviously not without substantial drawbacks, and poor security tops them,” the report states.
“Human mistakes unsurprisingly predominate the space. Even exemplary organizations with mature and proof-tested security policies awkwardly slip because of human factors. Tough deadlines dictated by economic realities lead to overburdened an exhausted programmers who innocently forget to set a proper attitude on a newly created repository letting the troubles in.”
How To Mitigate: “implement a policy addressing code storage and access management, enforce it internally and for third-parties, continuously run public code repositories monitoring for leaks,” the report states, adding that “following this mitigation advice may save you countless sleepless nights and many millions for your organization. Lastly, do share information about Attack Surface Management (ASM) with your industry peers to enhance their security awareness and cybersecurity resilience.”