Hackers are winning. As noted by Information Age, data breach reports are up 75 percent over the last two years. While part of this increase is tied to emerging legislation and disclosure requirements, a quick look at tech headlines makes it clear that attackers are coming out ahead in the fight to keep corporate networks, applications, and data secure.
But it’s not all bad news. Armed with knowledge of the current breach landscape and actionable insight to protect critical assets, organizations can start to even the score and put hackers on the defensive. Here’s what you need to know.
2018 saw substantial breach activity. In May, Twitter reported that 333,000,000 records were breached after a glitch that stored passwords in plain text on internal systems. The month before, Facebook reported 29,000,000 compromised records after “malicious third-party scrapers” grabbed user data.
It gets worse: In August 2018, 14.8 million voter records were exposed in Texas after a single file was stored without a password on an insecure server. Names, addresses, voting history, and gender data were compromised. In December, Marriott Hotels reported that half a billion customer records were breached across multiple hotel chains and revealed the hack began in 2014. So far, there’s no word on the threat vector used.
Also worth mentioning? The massive Equifax breach from last year exposed the credit information of almost 150 million Americans, supposedly because security patches weren’t properly applied.
Even a cursory glance at the data makes it clear: Big companies are getting hit by bigger and bigger breaches — and in many cases, hackers don’t even have to try that hard. What’s the disconnect?
Why are hackers enjoying so much success while IT teams struggle to keep up? Increasing malware availability is one concern: As noted by IT Pro Portal, 2019 will likely see an increase in “malware-as-a-service”—tools and kits that low-skilled attackers can buy on the Dark Web and come complete with customer service emails and ongoing support.
But here’s the hard truth: Despite increasing hacker savvy and growing malware markets, cybercriminal success stems in large part from in-house IT sources, including:
While attackers’ nature means they always push the bounds of IT security measures, businesses can level the playing field and deny hackers another win.
Best bet? Start with regular penetration tests carried out by reputable third-party providers. This circumvents the unconscious bias of in-house testers, who often avoid out-of-the-box attacks in favor of more traditional methods that report secure systems. Next, enable or deploy automatic patch policies to ensure the latest application and OS updates are applied to critical systems. While there’s potential for lost productivity if patching doesn’t schedule properly or encounters unexpected conflicts, it’s better than the Equifax alternative.
Last but not least? Protect your mobile apps. Protect your client and server applications. Hackers have plenty to choose from between these and now IoT apps: Just one reverse-engineered app or privilege escalation could lead to a full-on network breach. Ideally? Implement the app hardening trifecta: Code obfuscation to protect IP and mask potential vulnerabilities, encryption to hide valuable data, and runtime application self-protection to detect and reject tools and techniques hackers use, such as debuggers, emulators, code injection, etc.
Hackers are winning the data breach battle, but the war isn’t over. Know their methods, understand common risks, and implement straightforward strategies to gain a tactical advantage.