Fallout from giants at the top is one of the largest drivers of cyber-impacts on everyday people and companies.
Big businesses are constantly under attack, and that affects everyone from customers and business partners to parties with national security interests.
When successful, the initial compromise is only a means to an end — the real goal is to mount follow-on attacks like spearphishing, extortion attempts and account takeover (ATO). And much to the chagrin of security experts, those attacks on household-name companies are growing. Last year saw more than 6,500 data breaches, exposing a staggering 5 billion compromised records, according to Risk Based Security. “Breaches against large enterprises are becoming more frequent. There are several reasons for this – notably, breaches are no longer standalone incidents, they are part of larger organized cybercrime networks,” said Arun Kothanath, chief security strategist at Clango, in an interview.
The second reason, Kothanath said, was that the price of data is skyrocketing: Beyond data tied to financial institutions being an attractive target, so is data tied to healthcare, education, infrastructure, elections and national security.
Even though we live in a “breach-of-the-week” era, where data-thieving and inadvertent information exposures have become an expected part of the landscape, large enterprises can’t afford to see data stewardship as anything other than a critical risk, experts warn.
Scale and Complexity
Alex Guirakhoo, strategy and research analyst at Digital Shadows, told Threatpost that contrary to conventional wisdom, large enterprises can represent some of the lowest-hanging fruit for criminals to snatch off the data tree, simply by virtue of their scale.
“Fortune 500 companies have a much larger attack surface,” he said. “It’s more difficult to promote an effective security culture across a base of tens of thousands of employees than for a company with only a handful. This opens up greater potential for issues stemming from human error, like vulnerabilities going unpatched, or a server containing sensitive customer information being inadvertently accessible to the public without authentication.”
Add in the fact that people tend to reuse passwords for different services and often mix personal and corporate use of email and mobile devices, the attack surface becomes even wider. Guirakhoo said someone using company email on an insecure personal device represents an easy path to the corporate jewels.
Third Party ‘Stranger Danger’
Larger companies also have more partners and suppliers, opening up the potential for third-party compromise and supply-chain risk. This has been seen in several large breaches, including, famously, the Target breach (a hack of its HVAC provider started the attack) and last year’s attack on software service provider 7.ai, a company that provides online chat services. Hackers targeting 7.ai were able to use the platform to ultimately compromise Delta, Sears and other 7.ai customers.
“In most cases, carefully planned attacks can find data that is pertinent in a smaller company that is a subsidiary or a contractor to a larger enterprise,” said Clango’s Kothanath. “In this case the smaller company proves to be the weakest link to attain the same data.”
Large organizations also have a unique risk that is inherent to mergers and acquisitions, as was the case with Marriott’s acquisition of Starwood, Guirakhoo pointed out.
“When you acquire another company, you also inherit any vulnerabilities or security issues that they may have. These can slip through the cracks, then becoming the responsibility of the acquiring company,” he said.
Amidst all of this, the sheer number of employee logins at Fortune 500 companies available on the Dark Web for is staggering: 21 million to be exact, many in plaintext form, according to a recent report by ImmuniWeb. And according to Verizon’s 2019 Data Breach Investigations Report (DBIR), almost a third of the network compromises tracked overall involve the use of stolen credentials.
Large Enterprises, Large Impacts
For attacked companies, costs stemming from a data breach are myriad; there’s the loss of intellectual property, direct financial theft, fines and penalties for the loss of regulated or financial data, loss of system availability and productivity, and of course brand impact, which increases as organizations get larger and more prestigious.
Then there are the follow-on attacks; corporate data can be used to craft convincing spearphishing emails, for instance. And, consider that business email compromise (BEC) and other social engineering scams that can be mounted using stolen account credentials can be more effective against large organizations: “The sheer volume of people could make it easier for an attacker to impersonate an employee and request funds from an executive,” Digital Strategies’ Guirakhoo noted.
And then there’s malware to consider. Data breaches involving account credentials make it much easier for cybercriminals to drop malware on corporate endpoints, such as cryptominers and ransomware.
“Bad actors can infiltrate an organization’s network to infect machines and demand a ransom for the organization to pay or it will release the data or destroy it,” said James McQuiggan, security awareness advocate at KnowBe4.
But beyond the impact to the breached enterprise itself, there’s a “ripple effect” of data-breach fallout from the giants at the top of the corporate food chain that can have far-ranging consequences. Data leaks leading to privacy violations for instance can have a huge impact, given this affects everyone from end users to regulators. The infamous Equifax incident is but one example.
Valuable consumer data from breach against a high-profile organization can be sold for thousands of dollars, as Dark Web denizens continue to provide a market for the information.
“Large enterprises and Fortune 500s tend to have a unique risk profile in many aspects,” said Oz Mishli, security researcher at Unbound Tech, speaking to Threatpost. “These enterprises tend to have a lot of assets, end users and employees, making them much more lucrative target than a small organization— in a world where most data breaches are financially motivated, and selling loads of compromised personal data in the Dark Web can make a fortune.”
Also, consider suppliers and partners, which can be caught in the ATO crosshairs. IT systems consulting behemoth Wipro Ltd. in April for instance said that its network was hacked using stolen and phished credentials, and used for mounting attacks on its customers.
Also, using network credentials to infiltrate systems can lead to operational consequences, which are especially concerning when it comes to utilities or critical transport infrastructure, where national security aspects can come into play. The 2017 WannaCry incident for instance impacted shipping giant Maersk, holding up deliveries and impacting prices for consumer goods worldwide.
The same idea applies to other verticals where operational technology has physical impacts.
“The prevalence of destructive attacks like ransomware directly impact system availability,” Tim Wade, technical director with the CTO Team at Vectra, told Threatpost. “In the context of an essential service or critical infrastructure, this may lead to more impactful concerns like delays to first responders or the unavailability of medical services – this transcends just ‘bottom line’ concerns and has a real, tangible impact on our social fabric.”
Combatting Data Breaches
When it comes to shoring up defenses, a November survey from FireEye found that more than 90 percent of respondents believe that the cyberthreat landscape will stay the same or worsen in 2020. Further, half (51 percent) said they don’t believe they’re ready for or would respond well to a breach event. Moreover, 29 percent of organizations with breach-response plans in place have not tested or updated them in the last 12 or more months.
Just over 11 percent have employee security training in place. This is “especially concerning considering that a cyberattack can often result from just one employee clicking on a single hyperlink,” according to the report.
The only good news is that to address concerns regarding the potential loss of sensitive data, customer impact and business operation disruptions, three-quarters (76 percent) of organizations said they plan to increase their cybersecurity budget in 2020.
Globally, participants consistently identified the same solutions as having the most positive impact on their organization’s ability to prevent a breach. Vulnerability management and security software took the lead (slightly above 16 percent). Employee training was the third (14 percent) followed by response plans and security hardware (both slightly above 12 percent). While the survey found that regulatory compliance is the main driver for most cybersecurity programs, the loss of sensitive data is what keeps senior executives awake at night, not fear of compliance fines
Large enterprises however have unique profiles to take into account here as well.
“For larger enterprises, their problem comes down to asset management. In previous attacks against large organizations, it comes down to not knowing all of their servers, workstations, software and other assets,” said McQuiggan. “They weren’t monitoring or updating internet-facing devices, and when the bad actors discover these systems connected, they can compromise the systems and gain access.”
Clango’s Kothanath said that controlling privileges is also a common challenge for big businesses.
“If the employees don’t have the awareness of how valuable their identity is in protecting enterprise assets, it is a large problem for the enterprise,” he said. “Not having the visibility to the threat landscape leaves them with inadequate defense to proactively combat. Also not having accountability in roles and privileges can lead to excessive access to critical systems. Controlling ‘who has access to what’ by carefully instituting management, monitoring and maintenance of roles, privileges and other entitlements can greatly reduce the overall impact and increase proactive measures. This approach increases visibility and the ability to implement a ‘just in time’ approach on every critical access, which will reduce the effect of a breach.”
The move to the cloud should be another area of focus; more than 44 percent of global respondents in the FireEye survey have transitioned some of their environment to the cloud, 35 percent had transitioned some of their environment with plans to continue, and 17 percent had completed a full cloud deployment. U.S. organizations reported being furthest along in adopting a cloud-first approach, with 37 percent having finished a complete cloud migration.
“Regulators and large enterprises both highlight the protection of critical data as an area that needs immediate attention,” said Yaniv Valik vice president of product, cyber and IT resilience at Continuity Software, in an interview. “However, the market is crowded with solutions offering advanced protection for network endpoints and systems with less critical data, but when it comes to the security of data storage systems, there’s a major gap. They are not adequately secured and are significantly more vulnerable to cyberattacks.”
The bottom line is that large enterprises need to understand their attractiveness to cybercriminals and know their own weaknesses and risk areas – in order to craft plans to meet their security challenges and improve data protection. And, they need to understand that their actions have direct effects on everyone around them.
“Sensitive data exposure creates consequences, regardless of the means of exposure – targeted attacks, unauthorized access or employee negligence,” said Emily Wilson, vice president of research at Terbium Labs. “Fraud, identity theft, account takeover and new account fraud can still result from the data exposure, creating a host of issues for consumers who feel the impact of the exploits one way or another. The data exposed here is lifetime data – Social Security numbers aren’t easily re-issued like credit cards, and people won’t change their names, addresses or phone numbers as the result of a data breach. This type of exposure has decades-long implications for individuals who rely on this identifiable information to live their lives.”
By Tara Seals