Contact Us Blog Register Login
PreEmptive -
  • Home
  • Products
    • Application Protection
      • Dotfuscator for .NET
        • Overview
        • Features
        • Compare Editions
        • Xamarin Protection
        • Videos & Resources
        • Pricing
        • Downloads
      • DashO for Android & Java
        • Overview
        • Features
        • Videos & Resources
        • Pricing
        • Downloads
      • JSDefender for JavaScript
        • Overview
        • Features
        • Online Demo
        • Pricing
        • Downloads
      • PreEmptive Protection for iOS
        • Overview
  • Support
    • Product Support
      • Dotfuscator for .NET
      • DashO for Android & Java
      • JSDefender for JavaScript
      • PreEmptive Protection for iOS
    • Resources
      • White Papers
      • Glossary
      • Videos
  • Solutions
    • App Protection Solutions
      • Mobile App Protection
      • Desktop & Server App Protection
      • General Data Protection Regulation (GDPR)
      • Security Development Lifecycle
      • Application Integrity Protection
      • Mobile RASP
      • PCI Mobile Payment Acceptance Security
  • Company
    • About
      • Why PreEmptive?
      • About Us
      • Careers
      • Blog
    • Contact
    • Legal

Data Breaches in 2019: Why the Hackers are Winning (And What You Can do About It)

January 9, 2019 4722 Views Gabriel Torok
scary hacker

Hackers are winning. As noted by Information Age, data breach reports are up 75 percent over the last two years — while part of this increase is tied to emerging legislation and disclosure requirements, a quick look at tech headlines makes it clear that attackers are coming out ahead in the fight to keep corporate networks, applications and data secure.

But it’s not all bad news. Armed with knowledge of the current breach landscape — along with actionable insight to protect critical assets — organizations can start to even the score and put hackers on the defensive. Here’s what you need to know.

A Brief History of Breaches

2018 saw substantial breach activity. In May, social platform Twitter reported that 333,000,000 records were breached after a glitch that stored passwords in plain text on internal systems. The month before, Facebook reported 29,000,000 compromised records after “malicious third-party scrapers” grabbed user data.

It gets worse: August 2018 saw 14.8 million voter records exposed in Texas after a single file was stored without a password on an insecure server. Names, addresses and voting history and gender data were compromised. And in December, Marriott Hotels reported that half a billion customer records were breached across multiple hotel chains — and revealed the hack began in 2014. So far, there’s no word on the threat vector used.

Also worth mentioning? The massive Equifax breach from last year which exposed the credit information of almost 150 million Americans, supposedly because security patches weren’t properly applied.

Even a cursory glance at the data makes it clear: Big companies are getting hit by bigger and bigger breaches — and in many cases hackers don’t even have to try that hard. What’s the disconnect?

Common Sources

Why are hackers enjoying so much success while IT teams struggle to keep up? Increasing malware availability is one concern: As noted by IT Pro Portal, 2019 will likely see an increase of “malware-as-a-service” — tools and kits that low-skilled attackers can buy on the Dark Web and come complete with customer service emails and ongoing support.

But here’s the hard truth: Despite increasing hacker savvy and growing malware markets, cybercriminal success stems in large part from in-house IT sources, including:

  • People Problems — As noted by the Information Age piece, the vast majority of breach reports point to human error, not malicious action. Top concerns include emails sent to the wrong recipients and physical data misplaced by employees.

    Staff also struggle to identify and avoid phishing attacks: 76 percent of organizations say they were targeted by malicious email scams last year.

  • Patch Pressures — Without regular patching, systems and networks are left vulnerable. That’s what happened to Equifax: The necessary update for Apache Struts to combat CVE-2017-5638 was never installed, allowing hackers to access corporate systems. While the company’s former CEO blames an unidentified IT staff member for failing to download and apply the patch, there’s a bigger problem here: Poor patch management frameworks that let hackers slip through.

  • Timid Testing — Hackers look for any vulnerability they can use to compromise your network. This includes less common weaknesses that may allow lateral access to peripheral services but offer a potential pathway to more critical applications. Here, the biggest problem facing organizations is timid testing — companies may simply test for the vulnerabilities they expect to see, get the all clear and assumer hackers will never think outside the box. Or, they may skip testing altogether under the assumption that up-to-date security tools will protect key assets.

  • Application Avenues — Applications are eating the world. They’re also providing a veritable buffet for attackers; if malicious actors can insert commands during application runtime, reverse engineer code or hijack application sessions, they can quickly (and often silently) infiltrate corporate networks.

  • Variable Visibility — While Marriott can now identify which records were breached and what type of data was compromised, Bloomberg notes that there’s still “no information about the cause of this incident”. This is a common concern for companies: Visibility into the aftermath of data breaches but no insight about the cause.

Leveling the Field

While the nature of attackers means they’re always pushing the bounds of IT security measures, it’s possible for businesses to level the playing field and deny hackers another win.

Best bet? Start with regular penetration tests carried out by reputable third-party providers. This circumvents the unconscious bias of in-house testers who often avoid out-of-the-box attacks in favor of more traditional methods — which typically report secure systems. Next, enable or deploy automatic patch policies to ensure the latest application and OS updates are applied to critical systems. While there’s potential here for lost productivity if patching doesn’t schedule properly or encounters unexpected conflicts, it’s better than the Equifax alternative.

Last but not least? Protect your mobile apps. Protect your client and server applications. Between these and now IoT apps hackers have plenty to choose from: Just one reverse-engineered app or privilege escalation could lead to a full-on network breach. Ideally? Implement the app hardening trifecta: Code obfuscation to protect IP and mask potential vulnerabilities, encryption to hide valuable data, and runtime application self-protection to detect and reject tools and techniques hackers use such as debuggers, emulators, code injection, etc.

Hackers are winning the data breach battle — but the war isn’t over. Know their methods, understand common risks and implement straightforward strategies to take the tactical advantage.


Start a Free Trial



Tweet
Share

Categories

  • Dotfuscator

  • Dotfuscator CE

  • DashO

  • JSDefender

  • Press Releases

  • Mobile Protection

  • Risk Management

  • Support Corner

Latest Blog Posts

Protecting Java applications that use Jackson for JSON



JSON is a standard format for sharing objects and data within an application. When working in Java, there is no built-in support for JSON processing. There are, however, several widely-used libraries and options to choose from. In this article, we will focus on Jackson, which is one of the most popular.

Read more

Protecting C# applications that use AutoMapper



AutoMapper is an object-to-object mapping system used by many of our customers. It aims to simplify and organize code responsible for sharing instance values from an object of one type to an object of a different type.

Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO



Inventa, a Wireless Technology Company, Protects their Android Application with DashO

The Beginnings of Inventa

Having worked in the wireless mobile technology domain in the US, Anand Virani, became intrigued by the growing tech and wireless trends and wanted to explore the field more for himself. He noticed a boom in the Internet of Things (IoT) and that smartphones were becoming more central to how people interacted with each other at home, in the office, and in public places. What if there was a way phones could connect with each other without the need for Internet or cloud access? Smartphones were the future and Virani was determined to make a profitable business model based on this new trend.

Read more

Surgical Theater Protects their Medical Applications with Dotfuscator



Surgical Theater Protects their Medical Applications with Dotfuscator

How It All Started

How is flying a fighter plane similar to performing neurosurgery? They have more in common than you’d think. In 2005, Monty Avisar and Alon Geri, two Israeli fighter pilots were assigned to work with Lockheed Martin to build a $50 million F-16 Flight Simulator program for the Israeli Air Force to improve hand-eye coordination skills for their pilots during combat. Avisar took on the role of project manager and Geri served as senior engineer; the project was a success.

Four years later in 2009, the two finished their military service in Israel and moved to Cleveland, Ohio. Their experience working in virtual reality applications inspired them to wonder where this technology could also be applied. With several connections to surgeons, the two came to understand the ins and outs of operation procedures; in a similar way, surgeons were also working on a battlefield. What if surgeons could also train like fighter pilots and preview their surgical procedure, much like a fighter pilot could pre-fly their mission? The surgeons could pre-plan the operation from every angle and every approach to increase their situational awareness. And a year later, Surgical Theater was born.

Read more

Integrating DashO into a Maven Build



Maven is perhaps the most widely-used project management tool for Java. Based on the Project Object Model (POM), it is used not only for compilation of source code, but also dependency management, documentation, running tests, packaging, deployment, and more. We are frequently asked if we have a Maven plugin for running DashO. Though we do not offer a specific Maven plugin, adding DashO to your Maven-based project is surprisingly easy by leveraging Ant.

Read more

preemptive logo

767 Beta Dr. Suite A
Mayfield Village, OH 44143

Tel: +1 440.443.7200

solutions@preemptive.com

Latest Blog Posts

Protecting Java applications that use Jackson for JSON

December 30, 2020
Read more

Protecting C# applications that use AutoMapper

November 18, 2020
Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO

November 10, 2020
Read more

Surgical Theater Protects their Medical Applications with Dotfuscator

October 30, 2020
Read more

GlobalMed Finds Success by Switching to JSDefender

October 21, 2020
Read more

Twitter

@baldbeardbuild @GirlsWhoCode @baldbeardbuild thanks so much for inspiring us to be BUILDERS in our own community!… https://t.co/U6AyqPDhsa Jan 14 • reply • retweet • favorite

Copyright © 2020 PreEmptive

  • Home
  • Contact Support
  • Blog
  • Contact
Scroll to Top

PreEmptive uses cookies to improve the functionality of our website. By using this site, you agree to the use of cookies.