A data breach occurs when sensitive information is exposed to the public without authorization. These events are growing in popularity, costing businesses an average of US$4.35 million per event. Unfortunately, many companies are unknowingly still repeating the same mistakes causing some of the biggest breaches in history.
To prevent your business from becoming another breach static, adjust your cybersecurity program to the proven breach prevention strategy outlined in this post.
To conveniently keep track of each addressed item, download this post as a PDF here.
The Data Breach Pathway
To successfully prevent data breach attempts, it's essential to first understand the anatomy of a data breach event.
The typical cyberattack pathway leading to a breach can be broken down into 5 phases.
Phase 1 - Phishing Attack
During phase 1 of the attack, an email posing as an important message from an authoritative sender is sent to a victim. These emails include malicious links leading to fraudulent websites designed to steal network credentials.
In 2022, phishing was the most expensive initial attack vector, resulting in average data breach damage costs of USD 4.91 million.
-2022 Cost of a Data Breach Report by IBM and the Ponemon Institute.
Phase 2 - Account Compromise
During phase 2, the victim performs the intended action of the phishing attack. This could involve clicking a link leading to a credential-stealing website or downloading a malicious file attachment that allows cybercriminals to access the victim's computer remotely. In either case, the objective is to compromise the victim's account and use it to access the organization's network.
Phase 3 - Lateral Movement
After penetrating the network, hackers move laterally to learn the network's layout. Sometimes hackers remain dormant for months, watching internal activities and learning user behaviors. Then, when they're ready, deeper network regions are accessed based on these learnings using previously compromised credentials. Hackers are also searching for privileged credentials to compromise in this stage to facilitate access to highly sensitive data resources.
Phase 4 - Privilege Escalation
After locating and compromising privileged credentials, cybercriminals gain deeper access to highly-sensitive network regions that can only be accessed with privileged accounts. Once inside this critical region, cybercriminals begin the hunt for the following types of sensitive data:
- Personal data;
- Customer data;
- Social security numbers;
- Corporate email accounts details;
- Personal email account details, such as Gmail accounts;
- Any digital footprint details that could be used in an identity theft campaign (to potentially arm further, more targeted phishing attacks);
- Vulnerability disclosure and reports - an internal register of all computer system vulnerabilities security teams are yet to remediate.
Phase 5 - Data Exfiltration
Finally, after valuable data resources are located, cybercriminals deploy trojan malware to establish backdoor connections to their servers (known as command and control servers) and begin clandestinely transferring sensitive data out of the victim's network.
How to Preventing Data Breaches
A simple yet effective data breach prevention strategy involves adding resistance to the cyberattack pathway to make it increasingly difficult for hackers to progress toward their data theft objective.
This strategy can be broken down into two stages.
- Stage 1 - Preventing network compromise.
- Stage 2 - Preventing access to sensitive data.
Stage 1: Preventing Network Compromise
Data breach attempts are much harder to stop after a cybercriminal has entered your private network. The objective of stage 1 is to stop data breach attempts before your network is compromised - that is, to prevent hackers from progressing beyond phase 1 of the cyberattack lifecycle.
To maximize your chances of mitigating data breaches, there should be a greater emphasis on security controls preventing network penetration.
Network compromise could occur from internal network vulnerabilities or vulnerabilities across the third-party vendor network. A network protection strategy should, therefore, address the complete scope of attack vectors facilitating breaches - across both the internal and third-party attack surfaces.
This complete scope of attack surface coverage is achieved through four cybersecurity disciplines.
1. Security Awareness Training - addresses internal attack vectors
2. Internal Vulnerability Detection - addresses internal attack vectors
3. Data Leak Management - addresses internal and third-party attack vectors
4. Vendor Risk Management - addresses third-party attack vectors
1. Cyber Awareness Training
Employees are the first line of defense for every cybersecurity program. Despite how much you invest in security measures, it's useless if an employee can be tricked into handing over the keys to your private network.
Cybercriminals trick employees into divulging private network credentials in one of two ways:
- Phishing - The practice of sending fraudulent emails purporting to be from reputable sources to coerce recipients into divulging private information.
- Social engineering - The use of emotional manipulation to force victims into divulging private information. Social engineering attacks don't just happen via email. They could occur over the phone (for example, a caller posing as a member of the IT department) or even in person (for example, a job applicant asking the receptionist for access to the WI-FI network to modify their resume).
Data breaches occurring through compromised employees aren't the result of carefully executed strategies designed by internal threats. The reason is much simpler. These breaches happen because employees don't know how to recognize and respond to cyber threats.
Implementing cyber awareness training will equip your employees to avoid falling victim to phishing attempts. And if your training is effective, this single effort could protect your business from the leading cause of data breaches globally.
The following topics should be covered in cyber awareness training:
- Phishing attacks
- Removable media
- Strong password best practices
- Physical security
- Mobile device security
- Working remotely
- Public Wi-Fi
- Cloud Security
- Social media use
- Internet and email use
- Social engineering
An ideal cyber awareness training program should be coupled with frequent simulated phishing attacks to keep cyber threat awareness front of mind.
2. Internal Security Vulnerability Management
Internal security vulnerabilities could range from product misconfigurations, open ports, lack of MFA, and even typosquatting susceptibility. Discovering these security threats is a collaborative effort between internal audits - using risk assessments and/or security questionnaires - and security ratings.
Security ratings are objective qualitative measurements of your organization's security posture, ranging from 0 to a maximum score of 950. When used in conjunction with internal risk assessments, security ratings help you track the impact of all required remediation efforts on your overall security posture, supporting continuous alignment with your corporate risk appetite.
A straightforward strategy for minimizing network compromise risk is keeping your company's security rating as high as possible.
An internal security strategy focused on mitigating network access should also include the following common security breach controls.
- Endpoint detection and response solutions.
- Antivirus software.
Security ratings are a simple, high-level metric for tracking data breach susceptibility.
3. Data Leak Management
Most conventional data breach mitigation strategies lack a data leak management component. This is unfortunate since data leaks could significantly expedite data breaches by compressing the cyberattack pathway.
Data leaks exposing internal credentials could help cybercriminals to circumvent all security controls preventing unauthorized network access, allowing them to jump straight to phase 4 of the cyberattack pathway. Leaked privileged credentials compress the cyberattack pathway even further, allowing hackers to jump straight to the final data exfiltration phase.
According to the 2022 Cost of a Data Breach report by IBM and the Ponemon Institute, victims that respond to data breaches in less than 200 days spend an average of $1.1 million less on data breach damages. So if you're currently a victim of data leaks, not only are you increasing your risk of suffering an expedited data breach, you're also increasing your risk of paying more in data breach damages.
Common dark web data leaks hosts include:
- Ransomware blogs - ransomware gang noticeboards displaying public announcements and links to stolen data.
- Dark web marketplaces - cybercriminals marketplaces selling stolen data from cyberattacks.
- Dark web forums - cybercriminal forums hosting discussions about cybercrime.
- Telegram groups - Private message groups between cybercriminals.
When choosing a data leak detection solution, there are two important considerations:
Not all data leak announcements are legitimate. Cybercriminals often falsify such announcements in ransomware blogs to mislead and divert security investigations. Due to the high likelihood of this happening, detected data leaks should always be manually reviewed for false positives - either by internal IT security teams or externally if leveraging the support of managed data leak detection services.
Third-Party Data Leaks
Almost 60% of data breaches are caused by a compromised third-party vendor (third-party breaches). Since third-party data leaks facilitate third-party breaches, overlooking these attack vectors means overlooking events most likely to result in your organization suffering a data breach.
The scope of data leak dumps is vast and ever-expanding. Tracking data leaks at a rate that matches their appearance across thousands of potential hosts can only be successfully managed with the support of an automated scanning solution.
UpGuard's data leak detection solution combines an AI-assisted search engine with manual reviews from cybersecurity analysts to reduce false positives and unnecessary response efforts.
For the most comprehensive coverage of potential data leaks linked to your business or any of your vendors, UpGuard continuously monitors common data leak hosts on the dark web, including ransomware blogs and data collection releases.
4. Vendor Risk Management
Vendor Risk Management (VRM) is the process of mitigating security risks from third-party vendors and service providers. VRM programs address the unique security risks and exposures faced at each stage of a vendor relationship.
- Onboarding - Using a combination of risk assessment and security ratings, a VRM program evaluates the security postures of prospective vendors to ensure alignment with risk appetites.
- Regulatory Compliance - By mapping security questionnaire responses to popular cybersecurity frameworks, a VRM program can identify compliance gaps to support ongoing compliance and prevent costly violations.
- Continuous Monitoring - With continuous third-party attack surface monitoring, a VRM program detects emerging vendor security risks that could lead to third-party breaches.
- Termination - With bespoke risk assessments scrutinizing access levels, a VRM program ensures offboarded vendors no longer have access to sensitive resources.
A critical component of Vendor Risk Management is third-party attack surface monitoring. This feature identifies potential security vulnerabilities that could facilitate third-party breaches and, by extension, the compromise of your internal sensitive data.
Detecting and addressing third-party security risks prevents hackers from penetrating your network through a compromised vendor.
Stage 2 - Preventing Access to Sensitive Data
Should a cybercriminal circumvent all stage 1 controls and penetrate your internal network, a data breach could still be prevented with the following stage 2 controls.
Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) introduces a series of additional user-identify confirmation steps between a login request and access approval.
The most secure form of multi-factor authentication includes a biometric authentication method. Biometric data, such as fingerprints, or advanced forms of facial recognition, is very difficult for cybercriminals to steal or replicate.
A powerful user authentication protocol often used in conjunction with MFA is Passwordless Authentication. Passwordless Authentication requires users to submit proof of their identity without entering a password. Common authentication methods include the submission of fingerprints or hardware token codes.
Privileged Account Management (PAM)
Privileged Access Management is the process of monitoring and securing users with authority to access sensitive business resources. With PAM controls in place, a hacker could be prevented from progressing beyond the fourth stage of the cyberattack pathway (privilege escalation).
A Privileged Account Management strategy protects sensitive resources from unauthorized access through a 4-pilar framework.
- Monitor - Identify and monitor all privileged accounts.
- Secure - Secure all privileged accounts.
- Track - Track all privileged access activity.
- Scale - Automate privileged management.
Zero-Trust Architecture (ZTA)
Zero Trust is a Cybersecurity architecture developed by the NIST (National Institute of Standards and Technology). This framework assumes all network activity, whether internal or external, is a security threat. To prove otherwise, user accounts are continuously authenticated whenever sensitive resources are requested.
A Zero Trust Architecture includes other account compromise controls, such as Multi-Factor Authentication and privileged escalation management policies.
A zero-trust model is so effective at preventing data breaches it's specified as the ideal cybersecurity architecture for the Federal Government under President Biden's 2021 Cybersecurity Executive Order.
After a hacker has breached a network, they start moving laterally to identify where all the sensitive resources are located. Lateral movement can be disrupted by segmenting sensitive network regions from general user pathways.
To maximize obfuscation, all user accounts with access to these closed regions should be guarded with Multi-Factor Authentication, with all connection requests approved from within jump boxes (hardened machines in an isolated network hosting privileged credentials).
Should all the above stage 2 controls fail and hackers gain access to a sensitive customer database, the data contained therein will be of very little use to hackers if it's encrypted. Ideally, aim to encrypt data with the Advanced Encryption Standard - the encryption standard trusted by government entities.
A data encryption security policy should apply to all internal data at rest and in motion - not just the sensitive regions, including data stored in hard drives and laptops. Encrypting all internal data could prevent hackers from learning user behaviors to arm their lateral movement and privilege compromise efforts, thereby disrupting the attack's progression between phases three and four of the attack pathway.
The following data security measures could also protect highly confidential information, such as financial information, from compromise:
- Security Information and Event Management (SIEM) - A cybersecurity discipline focused on real-time monitoring of network activity potentially leading to breaches.
- A password manager - This solution helps enforce strong password policies preventing privileged credential compromise.
The Importance of an Incident Response Plan
An Incident Response Plan (IRP) is a cyberattack manual outlining how to respond to specific cyberattacks to minimize their impact. A well-designed IRP will help your security team quickly respond to data breach attacks, which could significantly reduce the damage costs of these events.
Protect Your Organization from Data Breaches with UpGuard
UpGuard's suite of features reduces data breach risks across multiple threat categories to create the most comprehensive data breach prevention solution.
- Internal and Third-Party Risk Discovery - Based on an analysis of 70+ attack vectors, UpGuard offers a continuously updated quantitative measurement of your internal security posture and the security postures of all your vendors.
Learn about UpGuard’s security rating solution >
- Data Leak Detection - With an AI-powered search engine also addressing third-party data leaks, and a team of cybersecurity experts assessing for false positives, UpGuard helps you efficiently detect and shut down the complete scope of data leaks before they're abused by cybercriminals.
Learn about UpGuard’s data leak detection solution >
- Vendor Risk Management - With features addressing risk exposure throughout the vendor lifecycle, including security ratings for prospective vendors, customizable questionnaires, and security assessments highlighting compliance gaps, UpGuard offers a complete framework for an effective Vendor Risk Management program.
Learn about UpGuard’s VRM solution >