Lessons Learned From 2018 Security Breaches

The top five security breaches discovered in 2018 affected over 2 billion users' records (Aadhar -- 1.1B, Marriot -- 500M, Exactis -- 340M, Twitter -- 330M, MyFitnessPal -- 150M) and included highly sensitive data -- from names and DOBs to credit card and passport numbers. So what have we learned about the categories of companies targeted, the data targeted, data breach prevention, early detection, and what should we do differently in 2019?

First, we should make a distinction between data breaches that resulted from intentional and targeted actions by the hackers and data breaches that resulted from opportunistic exploits by automated security bots. In the case of the former, companies that process and store large volumes of personal data, payment data and healthcare data were the primary target for hackers in 2018 and will remain the primary target in 2019. Key vendors used by these companies will be targeted, as well. This data can be sold on the dark web and according to Verizon's DBIR 2018 report, 76% of hackers were motivated by financial gain. In the case of the latter, any company that makes its assets discoverable on the Internet without proper authentication will likely suffer a data breach.

While hackers can use sophisticated tools and obscure attack vectors, the disclosed root causes of 2018 data breaches boil down to not following secure coding and secure cloud configurations best practices and can be categorized as follows:

• Publicly accessible assets -- making databases, kubernetes etcd databases, servers and POS accessible on the Internet and not requiring any authentication or relying on password-based authentication. These assets are discoverable by anyone with a simple Shodan search and will be exploited.
• API security -- not requiring authentication or using Basic Authentication; not implementing rate limiting
• Cloud misconfigurations -- making S3 buckets with confidential data public
• Encryption -- not encrypting data in transit, using weak ciphers
• Web application security -- not implementing input validation
• Using components with vulnerabilities

Given commonalities between the root causes (not following fundamental security best practices), a conclusion can be drawn that many companies still do not prioritize and do not invest in security.

First, security must have board-level visibility, support from the entire executive team, and adequate headcount and budget. Once these strategic requirements are met the following processes should be implemented to address the categories of data breach root causes enumerated above.

• Secure development lifecycle where engineering and security work together towards the same objective.
• Threat modeling to identify key assets, threats, attack vectors and possible mitigations
• An architecture review board that includes security design reviews against agreed-upon security requirements and best practices
• OWASP secure coding practices and relevant checklists
• Static and dynamic code analysis
• Frequent pen tests by an independent third party

While no company wants to discover that it has suffered a data breach, it is far more preferable to make such a discovery via internal means than to be informed about the breach by a security researcher who happened to discover a publicly exposed asset or confidential data for sale on a dark web. Implementing the Zero Trust Security model with visibility into exactly who is accessing the network, from where and when is the answer.

— Marzena Fuller is the chief security officer at SignalFx.