Anatomy of a business cybersecurity breach illustrated in three example incident scenarios

Business operators are rightfully fearful of cybersecurity breaches. They can cause irreversible reputational harm, leave trade secrets and work product exposed as well as create financial and legal risks.

But just how does a cybersecurity breach occur and what does the process look like? Let’s take a closer look.

Cybersecurity breaches start with a point of entry. Some vulnerable component, whether technological, physical or human, that allows the compromise to begin.

Scenario #1: technological breach

ABC Widgets has a website that processes ecommerce sales. Every day it handles thousands of credit card transactions. Each transaction is secured with encryption in transit when it is authorized with the merchant processor. But because ABC Widgets ecommerce engine was not properly developed, it stores the credit card information without encryption in its database at rest. This creates more risk of exfiltration as well as breaks important PCI compliance standards.

Nonetheless it is not too uncommon to find public-facing websites storing sensitive information insecurely. In this scenario, ABC Widgets experiences a compromise of their website. The compromise happens because a security vulnerability in the ecommerce engine was discovered, and before a patch was installed a malicious attack was launched against the ABC Widgets website. Because the database is not encrypted, its entire contents are downloaded. All of the customer PII, including their credit card information is exposed and eventually sold on the dark web.

As a result ABC Widgets has to hire a professional third party to investigate the breach, send all of its customers data breach notifications as well as fix the issues that occurred. Meanwhile the business suffers from a reputational hit as customers are reluctant to purchase more widgets because they are worried about the security and privacy of their information.

The technological breach was a two part problem where the first compounded the damage of the second.

  1. The relational database that stored customer records, including credit card information, was left unencrypted. This means it was, in a practical sense, only a matter of time before it was exfiltrated.
  2. Because the ecommerce website software had a remotely exploitable vulnerability, when it was hacked it was that much easier for the malicious party to gain full access to the relational database.

From a 30,000 foot view the lesson here is that one cannot rely on external security to protect the integrity and security of internal data. That is to say, sensitive data, such as credit card information, should be secured (if it is to be stored at all, which likely is best to avoid wherever possible) with strong encryption along with any PII or other sensitive information.

Secondarily, patching and having defensive measures in place (such as a web application firewall) can help to mitigate the risk of the external attack surface being exploited.

By having a multi-faceted defense that is attentive to the potential pain points, it’s possible to focus on an effective risk mitigation strategy. One that reduces the vulnerable attack surface wherever possible (such as in this case, both externally on the Internet facing side; and internally how sensitive data is stored on the ecommerce website’s relational database).

Scenario #2: physical security breach

ABC Widgets is having a bad month after the website was breached. The stress of working overtime to try to recover the lost productively and rebuild customer confidence has left employees a bit frazzled. As a result employees have been working later and when doing so in smaller numbers. This new behavior is noticed by a not so ethical person who frequents the same floor. They observe a lone late night employee of ABC Widgets heading downstairs to leave after a long night and catch an elevator with them, planning in advance for the ride down. In their pocket is an RFID card cloner. It remotely scans the ABC Widgets employee ID card and makes a copy during the brief 45 second trip down (only taking a fraction of a second to dump the data from the employee’s card in to its memory for duplication).

The bad actor manages to slip in to the office while the employee is leaving to head home and plug in a small USB device in to ABC Widgets server and then after a few moments exit the office.

Because ABC Widgets didn’t invest in and monitor a video surveillance system this physical security breach goes undetected. The USB device allows the malicious actor to take full control of the ABC Widgets local server and exfiltrate trade secrets about how their widgets are made, with whom they do business and their sales material. It gives them an opportunity to sell this information to an overseas competitor that is eager to duplicate the processes and create cheaper knock-off versions that will be sold to encroach on ABC Widgets remaining market share.

The physical security breach was possible because of an RFID card clone, but there are much less sophisticated ways this type of breach can happen. Such as when passwords are written down and left in plain sight.

Most physical security breach risk can be mitigated by following a similar theme as reducing technological breach risk and having multiple defense vectors. Security cameras that send motion alerts with pictures and/or video clips can be another layer on top of electronically monitored entry/exit. Further, clean desk practices can go a long way to ensuring that casual observers aren’t able to ascertain sensitive information.

Scenario #3: human security breach

Boy, ABC Widgets is really not having a great quarter. After the ecommerce data breach and the office server breach things are really spiraling downhill. The already weary employees are frantically clinging on for dear life as the company’s future trajectory seems to be in a tailspin. This cloud of distraction suspends better judgment when an e-mail claiming to be from the CEO of ABC Widgets is opened by the Treasurer of the company, who nearly immediately, and without much consideration, wires $10,000 to another bank account because the e-mail seemed to be legitimate. After all, the e-mail was sent from the CEO’s own address, signed with the same signature he uses and had all the same sorts of language that one would expect from them.

But the e-mail was not from the CEO. It was from a sophisticated spear phishing attack that was a follow-on from the earlier ecommerce website breach. The malicious hackers, seeing low hanging fruit, assumed accurately that the company’s security would be similarly soft in other areas.

When the $10,000 was wired to the malicious hackers US account it was then immediately wired overseas through a series of different foreign bank accounts and then converted in to cryptocurrency and put in to cold storage. Thereby almost impossible to trace, but more importantly almost impossible to claw back.

Most human security breaches happen through some variation of social engineering, whether it is a phone call, e-mail, letter, text message or social media message. In many cases the origin of the message is spoofed so as to appear from a trusted party. This is even possible with caller ID — and is oft abused by robo callers and fraudsters alike.

Human security is best optimized by providing both ongoing education through interactive training and adopting best practices as a component of workflow as well as company IT policy.

Reducing risk is pivotal to improving business sustainability

Cybersecurity risks are rising exponentially and malicious hackers have the upper hand. Data breaches and data loss can be devastating and even cause businesses to fail.

Getting ahead of the technological, physical and human cybersecurity risks gives your business a competitive advantage, It is an investment in a resilient digital moat around trade secrets, work product and PII; a powerful way to improve client confidence and loyalty; and perhaps most importantly, good security practices are going to pay dividends in how your company reduces the otherwise increasing financial and legal risk of a data breach.

Contact Envescent to receive expert cybersecurity help from thoughtful professionals tailored specifically to the risks that face your business.

Posted in cybersecurity.