What Cybersecurity Professionals Can Learn from the Big Data Breaches?

Since the start of the new millennium, dozens of high-impact cybersecurity incidents have been reported – with multiple major data breaches occurring in any given year.

Each comes with its own set of lessons for the industries and organizations involved, and for the cybersecurity professionals who endeavor to protect them.

A quick sample:

• Every single Yahoo user account – all 3 billion of them – was compromised during a 2013 breach, the most massive in history. Its origin remains unclear.
• A year later, despite more robust password requirements, Yahoo got hit again, with 500 million accounts affected. A report in CSO Online said the data breach began when a Yahoo employee clicked on a spear-phishing e-mail sent by hackers working for Russia. The FBI has an arrest warrant out for Alexsey Beylan, a notorious Latvian hacker it believes was involved in the incident.
•  In May 2014, Ebay reported that intruders had broken into the company network and gained access to the names, address, dates of birth, and encrypted passwords of everyone using the service – 145 million in all. How did it happen? According to the company, the hackers obtained login credentials for three corporate employees and, as a result, had unfettered access to the network for 229 days.
• Target traced its late 2013 breach, which compromised around 40 million credit and debit card numbers, back to an HVAC vendor which used a computerized system to remotely control on-site equipment. Hackers allegedly used e-mail spear phishing to infect the vendor’s network with malware, which eventually yielded the credentials needed to access Target’s systems. Once in, the hackers uploaded malicious script to a vulnerable web application, identified attack vectors, gave themselves domain admin privileges, and eventually threaded their way to the company’s Point of Sale equipment.
• Credit rating giant Equifax announced, in late 2017, that 143 million users – half the U.S. population – had their personal information exposed in an attack traced to a web application vulnerability.

While each cybersecurity data breach has its distinct characteristics, certain themes recur again and again. Human users remain the weakest cybersecurity link, with our propensity to fall prey to social engineering or spear-phishing schemes. Poor password protection, still the case with countless network users, offers adversaries an easy break-in route. Wide-open web applications – often developed with convenience rather than security in mind – provide opportunities for those who know where to look.

Dr. Jason M. Pittman, professor of cybersecurity and computer science at Capitol Technology University, sees a broader problem, one which recalls a fundamental rethink of our interactions with web services.

“Perhaps the biggest takeaway from a post-mortem of cybersecurity breaches is that our cognitive models – how we conceive of our relationship to data -- are inherently flawed,” Pittman says. “Would you give a stranger the keys to your house to hold onto for an indeterminate length of time? I would suppose not. Yet, this is precisely what we do when we ‘give’ our data to these organizations. This is data which, in the shared reality we inhabit, is perceived as being extensions of our identities, of ourselves. Moreover, we have no means to manage our data once given away.”

“We’re forfeiting control of something that, in a sense, is more permanent than the keys to a house. After all, we can rekey our locks. Unfortunately, we do not have a reliable way to rekey our identities,” Pittman said.