When our team is initially called in for emergency incident response, we are never quite sure what we will find. Our goal is to identify the point of compromise, detect where the threat is and what data it has accessed, preserve evidence, and then respond to the threat by closing all vulnerabilities.
Here’s what our digital forensics experts will often discover when responding to an incident and discovering what data was exfiltrated: Whether the business was hit my ransomware or malware, at some point a senior executive will comment on the fact that the cybercriminals have breached an old server and accessed data that the company no longer uses or needs.
Unfortunately, old data or not, the consequences are no less severe. Perhaps a ransom needs to be paid. At the very least, all data subjects must be informed that their personal identifiable information (PII) has been compromised, which has reputational and financial consequences. And yet, if the data had simply been deleted, the breach could have been avoided.
Let’s take a look at some of the reasons why old data tends to fall victim to data breaches. First, zero trust and least privilege access, two terms you have no doubt heard multiple times or deal with on a daily basis, are not always enforced on older servers. Zero trust emphasises verifying every access request, while the principle of least privilege aims to restrict user access to the minimum level necessary for their job functions. In both cases however, either multi-factor authentication (MFA) is in place before a user can access data, or they need to have privileged access to specific data bases.
Let’s consider which data bases have the most stringent controls in place. You’ve guessed it. Data bases with sensitive information, proprietary information and PII will all require MFA and have principles of least privilege in place.
This is one of the reasons why phishing attacks have become so successful in recent years. Hackers need a way into networks through vulnerable ‘low level’ entry points. From there they move laterally through networks, and if they go unnoticed, they can spend weeks or even months cracking passwords and profiles of people who do have the privileged access to highly sensitive data.
There’s another way in too: brute force attacks that use quantum computing to run millions of stolen credentials until a known password/email combination works, or for predicting passwords. Nearly every combination of password exists, and quantum computing and artificial intelligence have changed the game when it comes infiltrating systems.
How does this work? People have a tendency to have a ‘password’ formula that uses various email and password combinations, and they will reuse older passwords once they think enough time has passed. Here’s an example of how that could become a problem and lead to a major breach. You may have not used the same password since you set up your LinkedIn account in 2010, but you also haven’t changed your password, and your details were in the set of 500 million LinkedIn profiles that were hacked and put up for sale on the dark web in 2021. Hackers buy password and email combinations and then use quantum computing to carry out brute force attacks on large networks.
Even worse, they don’t always even need stolen credentials. Simple password combinations can be cracked within minutes. Run a password through Password Monster of Password Strength Meter and you’ll see that ‘simple’ passwords can be cracked in as little as seven minutes, while strong passwords take up to 21 days to crack.
That’s of course where MFA, zero trust and least privileged access comes in – which brings us full circle to that old data sitting on an unused server. In a highly regulated world that protects PII, where is your organisation’s cyber security focused? My guess would be where your most sensitive data resides. Which servers are not protected by zero trust, MFA, strong firewalls, least privileged access and regular patching?
It’s an easy win for hackers, and we’ve seen it time and time again.
Five tips for preventing data breaches
- Implement strong data hygiene and governance
- Maintain a detailed inventory of all data, including where it is stored and who has access to it. Regularly review and update this inventory.
- Identify and delete data that is no longer needed and can be legally removed. This reduces the amount of data that could be compromised in a breach.
- Adopt zero trust and least privilege principles
- Always verify the identity of users and the legitimacy of access requests, regardless of whether they are inside or outside your network.
- Restrict user access to the minimum level required for their job functions. Implement multi-factor authentication (MFA) to secure access to sensitive data.
- Enhance network monitoring and detection
- Set up systems to continuously monitor network activity for unusual behaviour. This can help detect potential breaches early.
- Use advanced detection tools to identify and respond to threats in real-time, reducing the time hackers have to move laterally within your network.
- Strengthen password policies and use MFA
- Encourage the use of complex passwords and avoid password reuse. Utilise password management tools to help users create and store strong passwords.
- Implement MFA for all user accounts, especially those with access to sensitive information, to add an extra layer of security.
- Establish a 24/7 incident response plan
- Develop a comprehensive incident response plan that includes 24/7 monitoring and reporting. Ensure your team is prepared to act quickly in the event of a breach.
- Focus on preserving evidence during a breach investigation, closing vulnerabilities, and communicating transparently with affected parties to mitigate reputational and financial damage.
How Cyber+ can help
Cyber+ is a Digital Forensics Incident Response (DFIR) solution that combines the digital forensics expertise of Cyanre Digital Forensics Lab and the Incident Response skills, processes and technology of Cybercom Africa. This means a 24/7 immediate incident response team can identify point of compromise, track the digital footprints of intruders, conduct and full audit for insurers and track down where the infiltrators breached and what data was affected.
Don’t wait for a breach to happen—be proactive! Contact Cybercom.africa today to learn more about Cyber+ and how it can safeguard your organization. Together, let’s build a resilient digital future.