Upcoming Pandora FMS Workshop: June 11. More information →

 
← Regresar a IT Topics

Data breach: what it is, risks and how to protect your IT environment

Sections

If you have 18 euros and 0 scruples, the Dark Web has for you the complete data of a Spanish or British credit card. And for 100 euros, 10 million US email addresses. In addition, prices are getting cheaper, because data breaches are increasingly common and there is no one left who does not have exposed even the color of their underwear, because they put it on some website, social network or language model, the last great gold mine in data breaches.
Our private information is everywhere and the risks range from incessant spam and fraud calls, to the tenth phishing attempt today. Or worse, stolen identities that end up in scams, fines in our name or cleaner bank accounts than we ever had the bathroom.
It seems inevitable, but it’s not true. That’s why we’ll look at everything about data breaches: what they are, how they happen, the consequences for our organization if we suffer one, and what we need to do to protect ourselves.

What is a data breach?

A data breach is a security incident where unauthorized entities copy, use, transmit or access confidential, protected or critical information.
Or as defined in Article 4.12 of the GDPR with the usual simplicity of legalistic language:
“Any breach of security resulting in the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication or access to such data.”
Come on, who should not access data that should not or, attentive to the law, also destroys or alters them, even if you have not looked at them.
This not only occurs by the action of evil hackers in unwashed black sweatshirt, because it may be due to:

  • Leakage: a disclosure (accidental or not) of data through unsecured channels, such as those examples worthy of study that put a thousand email addresses in the CC section of the mail and not in the BCC. Or who uploads personal data to an S3 bucket and it turns out that it is configured as public.
  • Exfiltration: a breach caused by malicious actors (external or internal), such as a ransomware that copies a database to a remote server and then encrypts it on our systems or, now yes, the hacker and his sweatshirt comes in through some crack and extracts 500 GB of data, until we discover his lateral movements by smell.
  • Leakage: similar to leakage and sometimes included in it. It is a loss of data due to a technical or human failure, but which had no malicious intent, such as a bad update that corrupts a database, or a failure in a cleanup script that deletes what it should not.

The differences with other security incidents, such as a DDoS or an intrusion without exfiltration or destruction, lie in that unauthorized access or manipulation of data.

Main causes of a data breach

Data breaches do not happen by magic, but because of these causes:

  • Human errors and improper access. Many times, produced by the natural enemy of the technician and predator of his mental health: the user. This one has again clicked where he should not or opened what we told him not to open. However, after pointing the finger at him, we can turn it towards us, because it can also be that we uploaded the data where we should not have or we were unscrupulous in configuring permissions.
  • Configuration flaws and vulnerabilities. Poor security of our database, or an unpatched vulnerability, can lead to the incident.
  • Internal and/or supply chain threats. Disgruntled employees or aggrieved technicians can lead to a data breach. Or a vendor has mediocre security and our CRM SAAS suffers a hack, leaking customer data.

Most frequent attack vectors in IT environments

The movies teach that these things happen because geniuses in the shadows fight against other geniuses by typing very fast incoherencies in a terminal, a kind of cybermagician duel. But those movies also tried to make us believe that Chris Hemsworth (aka Thor) or Hugh Jackman (aka Wolverine) were hackers, or that in our group of marginalized cyber-geniuses we would find an Angelina Jolie. So they don’t resemble the reality of how data breaches happen either.
The most frequent vectors are:

  • Phishing*. The cockroach of cyber threats that will never die, with fraudulent emails (or SMS, WhatsApps, etc.). Unless you are a strategic organization in the sights of highly motivated malicious actors, most attacks will travel this vector.
  • Ransomware* and other types of *malware. Because maybe you didn’t click on the *phishing* link, but you downloaded that pirate program and it has inserted a *keylogger* that records what you type.
  • API attacks. A growing vector where poorly secured APIs leak data that they should not in the face of ingenious requests or unauthorized access. This is the case of Twitter in 2022, where an API without proper authentication allowed verifying whether an email or phone number was associated with an account, allowing doxxing (identity disclosure) and phishing.
  • Already leaked credentials. That is, someone uses a password they found on the dark web or wherever and the user never changed it.
  • Insider threats. Key vector, because a disgruntled employee does more damage than the most powerful hacker.
  • Breach in the supply chain. We are serious, but that language model that writes us emails that no one will read has vulnerabilities like train tunnels. Or we have files in iCloud and there’s a repeat of 2014’s Celebgate.
  • Unpatched vulnerabilities. Because we use applications or operating systems without updating or we are facing a zero-day, an unknown vulnerability and, therefore, not yet solved.

Impact on IT infrastructure and business consequences

If data is compromised, we will face consequences, both for our IT infrastructure and for the organization as a whole.

1. Losses due to alteration of operations

If the data breach is via ransomware, for example, we may not be able to work, because everything is encrypted unless we pay the ransom that will surely be demanded. Or simply, forensics and mitigation disrupts day-to-day business.
Every second of this is a loss, but it’s not just this impact.

2. Reputational damage

We have failed to take care of the data we hold, so some customers, partners or shareholders will not want to stay with us. For example, after the Equifax data breach in 2017, its stock market value plummeted.
Reputation costs a lot to earn and is lost in an instant, as well as being the hardest thing to quantify. For example, we will never know the potential business lost because, whoever hears about what happened, discards us as an option to work with.

3. Regulatory sanctions

Depending on the gap and organization, we may be under the obligation of various standards, such as:

  • The NIS2 if we are a strategic EU company.
  • The PCI-DSS has had to do with online payment and credit card data.
  • The Spanish ENS (National Security Scheme), according to Royal Decree 311/2022, of May 3.
  • The GDPR, the European data regulation par excellence that establishes the legal framework dedicated to data protection, and so on.

The issue is that the penalties are substantial and occur:

  • For not having done what is established by law to take good care of the leaked data.
  • For not having communicated the breach in a timely manner, even when we took all possible care.

Therefore, to mitigate consequences, our response to the breach must be flawless.

How to respond to a data breach

When the incident occurs, our action must be twofold. On the one hand, technical, detecting and containing the breach as soon as possible. On the other hand, legislative, notifying the competent bodies, such as the Spanish Data Protection Agency, for example. Likewise, the law will require us to notify users, also following certain criteria.
Let’s analyze the necessary steps in more depth.

  • Gap detection. Either because we discovered it by having a good IDS or SIEM, or because we had a heart attack at the ransomware extortion screen, or because that data was detected on the dark web, Pastebin or shady information markets… And we didn’t even know it.
  • Immediate containment. The first thing is to stop the bleeding and minimize the damage. To do so, we isolate affected systems, block compromised accounts, stop exfiltrations by disconnecting…
  • Evaluation. Determining what data has been breached and the scope of the breach (how many accounts or records are compromised).
  • Legal Notification. The GDPR requires 72 hours or less, but legislation such as NIS2 shortens to 24 hours for essential operators, so don’t sleep on it.
  • Technical resolution of the breach. Plugging the rat hole, making sure to eliminate persistent threats (APTs), recovering data from backups, etc. Depending on the specific nature of the data breach, the technical steps will differ.
  • Strategic communication. Before users and legislators. The law requires to be clear and inform if they pose a risk. Many companies err on the side of minimizing it because, perhaps, it did not affect bank details or card numbers and thank goodness, but IDs, addresses and telephone numbers were leaked, which can be used for identity theft, spam, phishing or fraud. Personally, I am horrified by what can be done with this information and some social engineering, but the average user is unaware of these things.
  • Recovery and hardening. Life cannot go on the same no matter what the song says. We must be clear about what happened and come back stronger so that it does not happen again, with reinforcement of controls, stricter access policies, etc.

In short, learn from mistakes, a phrase that we love to tell others, but hate to apply to ourselves.
Throughout this process, a good SIEM like Pandora SIEM will lift the heavy weight of that response, with actions such as:

  • Risk management reports and audits as required by NIS2.
  • Detection of unauthorized access as soon as it occurs, as well as logging of activities for prompt communication to agencies and demonstration of diligence.
  • Automated immediate actions, such as blocking of compromised computers, malicious IPs and immediate notification to the SOC.
  • But above all, the main help is greater upstream protection and continuous monitoring, decreasing the risk of the data breach occurring in the first place.

Effective strategies to prevent a data breach

The only good gap is the one that does not occur, so we must apply effective strategies to prevent it. The main ones are:

  • Continuous monitoring. Of the entire infrastructure, agglutinating and correlating logs of the different elements to detect complex attacks. A good SIEM is essential for this.
  • Data encryption. Both in transit (TLS 1.3) and at rest (AES-256) so that, even with exfiltration, they cannot be accessed.
  • Draconian identity and access management. Always double authentication and least privilege policies, where no one has more access than necessary.
  • User training and regular drills. The best walls are useless if the user does not stop opening the doors. That is why we must train them in the main threats and carry out regular drills on phishing, social engineering or intrusion, both technical and physical, in the facilities.
  • Periodic audits. Both of key application code before new versions (if we can), as well as annual pentesting processes or tests, to see how we withstand or respond to a possible breach.

Practical checklist: how to protect your IT environment against a data breach

I’d like to detail the above strategies into concrete actions, and so let’s look at a checklist for implementing the essentials. Obviously, I don’t know if your infrastructure is an ocean of a thousand systems of all kinds plus SAAS or 12 potatoes and a Raspberry, but it doesn’t matter.
These actions are applicable to everyone, and include some tips and nuances from the Pandora team’s experience.
Let’s examine if we have each point.

  • Double authentication for access. I know it is tiring and inconvenient, but that is also known (and exploited) by malicious actors.
  • Periodic rotation of credentials. Mandatorily changing passwords every 90 days, for example.
  • Data access policies based on the principle of least privilege. Because Rafa from accounting does not need to access CRM data.
  • Access policies audited every month, for example. Because maybe Rafa has switched to sales, but access to financial information was not revoked.
  • Critical segmented networks. The webcam does not look good connected to payment networks, seriously.
  • Segmented data. The same principle applies as for access and networks: don’t leave all the gold in the same box. So, if they access CRM data, they don’t have to be together with balance sheets and banking.
  • Data encryption, both at rest and in transit.
  • A SIEM that allows continuous monitoring and programmed alerts in the event of a breach.
  • Automated mitigation actions (if able to be implemented with our SIEM and/or SOAR) for simple key actions such as isolating compromised machines, blocking malicious IPs or creating alerts and tickets.
  • DLP (Data Loss Prevention) actions, such as SIEM alerts in case of massive data copies on USB, for example.
  • Automate updates as much as possible.
  • Monitor new CVEs and vulnerabilities that affect us. Despite the above, the time between the vulnerability arising and its patching is critical. We must keep a watchful eye on the vulnerable app or equipment until the solution arrives, or take preventive measures during that time, if it is not key to operations.
  • Periodic user training.
  • Mock phishing and social engineering mechanisms to prove that those users were attending at the previous point. Make them randomized or they will be conditioned to be more attentive during the usual dates of occurrence.
  • Strict backup policy following best practices, such as the 3-2-1 principle, immutability or monthly verification of the recoverability and good condition of the copies.
  • Know exactly the legal requirements that affect us and the specific steps required by those laws to prevent incidents or when they occur. Yes, reading War and Peace is easier, but there is no excuse.
  • Documented data breach action plan. Clearly detailing specific actions and WHO should perform them. I hope I have sufficiently highlighted the importance of the who.
  • Endpoints protected with EDRs or agents that communicate with the SIEM. Special attention to personal equipment due to the BYOD (Bring Your Own Devices) trend.
  • Checking our supply chain. That is, suppliers of services or products such as cloud hosting, commercial outsourced services or whatever, making sure they meet requirements, have ISO 27001, etc.

Just as you can’t build a house without the right tools, you won’t implement this checklist without professional applications. And at the center of it all is the SIEM, the command and control center that never rests, pulling up every rug, illuminating every corner and linking the pieces of information in our IT infrastructure.

Pandora FMS and Pandora SIEM: your ally in preventing data breaches

Pandora FMS and Pandora SIEM are the result of best practices. From having forged in the fires of Mount Doom (and real experience), an elite tool to protect you, not only from data breaches, but from any attack.

In data breaches, the main help is, above all, to prevent them. How? With log aggregation and event correlation for real-time detection of complex attack patterns.

Likewise, continuous monitoring, even of the most heterogeneous networks, and having a unified dashboard in your metaconsole (or those we need adapted to us, with dashboards and customized consoles) gives us the control we always wanted.

During the containment and response process in case of a data breach, Pandora allows to have all the information of the event at a glance, detecting immediately what has happened, as well as to respond automatically with actions such as equipment isolation, IP, etc.

During forensic and communication work, it facilitates regulatory compliance, reporting according to the law and demonstrating our diligence with the storage of logs and information needed for audits.

Looking at the fraudulent calls that my cell phone blocks every day, it is clear that data breaches are one of the security incidents on the rise. Implementing what we have seen will help us to prevent and mitigate, and Pandora FMS, together with Pandora SIEM, allows us to go to the fight mounted on Mazinger Z (let the prehistoric references not decay).

But of course, at the risk of marketing throwing a stapler-shaped photon torpedo at me, what are we going to say about our crown jewel?

We honestly believe that Pandora is the best option, but (here comes flying the second stapler between shouts), you don’t have to believe us and, in fact (third stapler as I write sheltered under the table) you would do well, because talking is easy.

That’s why we invite you to a free demonstration of Pandora. We invite you to try, to ask us, to question us until there is no doubt and then, to compare other options, seriously. We know that you can’t convince anyone of anything, but you will convince yourself if you try us.

← Back to IT Topics

Beyond limits, beyond expectations

Get your FREE Trial!