A security breach refers to any incident that causes harm or unauthorized access to systems or their data. Aside from direct monetary damages, security breaches can also have a negative impact on a firm’s market value and reputation or can lead to government penalties. In some cases, security breaches can even compromise national security.
A common information security myth is that only people with ‘highly valued’ information are at risk of becoming victim to costly security breaches. In reality, however, most people are at risk of becoming a security breach victim for several reasons. For example, anyone who:
has an identity
knows other people
has access to computing resources (e.g., a laptop)
may be a target for a security attack. Everyone has an identity, and therefore may be a victim of identity theft —the unauthorized use of a person’s private information for gain. Identity theft can take many forms; a few common forms include:
Stealing another person’s credit card or bank account number. This may also include using one’s identity (social security number, address, name, etc.) to apply for a credit card or loan that may impact credit ratings or cause unmerited financial obligations.
Stealing another person’s personal information to obtain medical care, buy drugs, or submit fake billings to an insurance company. This could be life-threatening if wrong information is inserted into one’s medical records and wrong medical actions are taken based on these records.
Giving another person’s name, date of birth, driver’s license number, etc., to a law enforcement officer during an investigation or upon arrest. This may result in false criminal records, fines, or other legal actions.
stealing a minor’s social security number for personal gain. This type of fraud can go undetected for years, and it may not be discovered until a child’s later years (when applying for a driver’s license, a bank account, etc.).
Anyone who knows other people may be a target for a security breach. Attackers may try to exploit other people’s social networks to steal from or harm their friends, work colleagues, and acquaintances. Anyone who owns a computer may be vulnerable to a security breach. People can use unsecured computer resources to perform a variety of illegal activities (e.g., downloading illegal software, gambling, hosting illegal materials, or visiting bad sites). Attackers might also install malware on a victim’s computer, which can then be used to attack other people or organizations.
In this section, we talk about three types of people who are threats:
Hackers - people external to an organization who conduct attacks
Malicious insiders - trusted people within an organization who conduct attacks
Non-malicious insiders - people within an organization with no intentions to harm it, but who present a threat because of negligence or ignorance
Hackers have a variety of motivations. Some hackers try to break into systems merely for the challenge or out of curiosity, while others may receive monetary compensation for breaking into a computer system and stealing or destroying information. Hackers may deface a website (changing the appearance or content of a website) if it opposes their own opinion, or they may make confidential information public to accomplish their political objective.
Hactivists (hackers who are activists) carry out political agendas by breaking into computers or networks.
Cyberterrorists use the internet to accomplish terrorism. Cyberterrorist acts may include disrupting or destroying an organization’s or nation’s infrastructure.
Cyberwarfare refers to nations or groups that conduct espionage or sabotage of another nation’s or organization’s information and infrastructure through hacking techniques.
Not all hackers are bad however. For example, white-hat hackers are hired by an organization to break into the organization's own systems to expose vulnerabilities so the organization can fix them.
An adversary who operates as a trusted member of an organization in order to intentionally harm it. For example, malicious insider threats may purposely install malware on a system, steal or expose sensitive information, sabotage systems, delete information, steal hardware, or perform financial fraud.
A User who put their organization at risk by not complying with the suggested security policy because of ignorance or non-malicious negligence. This type of threat is very common and may even include you. For example, non-malicious insider threats may make an organization vulnerable by creating weak passwords, not updating antivirus programs, not locking computers or office doors, visiting websites infected with malware, and disclosing sensitive information in emails or in conversation.
Video about Insider Threats
Hackers and malicious insider threats may also introduce malware onto a computer. Malware is a malicious program that may occupy the resources of your computer so that it is slow or nonresponsive, cause damage to your computer, take control of your computer, or even steal information from your computer. Malware is broadly used to describe at least three different types of malicious programs that are distinguished by how they spread: a) viruses, b) worms, and c) Trojan horses.
Viruses - a malicious program that attaches itself to another program or file. It spreads from one computer to another as users share programs or files with each other.
Worms - similar to a virus, except that it can spread from computer to computer by itself (without requiring users to share the virus)
Trojan Horses - a malicious program that is disguised to be a legitimate, useful program. However, when you open the Trojan horse, it may perform any of the actions listed above. Trojan horses do not self-replicate or infect files like worms or viruses (respectively) do.
The CIA Triad
Hackers and insider threats may threaten at least three different areas of security:
Confidentiality - restricting access to information and resources to those who are authorized to use it
Integrity - protecting data from unauthorized modification or deletion
Availability - ensuring that authorized users are able to access information and resources when they need it
Confidentiality refers to restricting access to information and resources to those who are authorized to use it and ensuring that people who have access to information do not disclose that information to other unauthorized people. Confidentiality is frequently enforced through a two-step process: Authentication and Authorization.
Authentication refers to verifying who you are. It is typically accomplished through:
something-you-know - username, password, or other information that you must retrieve from memory to enter in a login screen
something-you-have - using an object that you carry with you (like an ID card) to authenticate.
something-you-are - your own physiological characteristics (like a fingerprint)
Something-you-have is often used together with something-you-know to authenticate. This process is called dual-factor authentication. For example, in some organizations with sensitive information, you must enter your username and password along with a code that is on a token. Tokens (see image) are small devices that you can carry with you which display a code every 30-60 seconds. The codes are synchronized with the system that will authenticate you. If your password and the code on the token are entered correctly, you will be given access to the system.
Once a person is authenticated, a secure system should only allow that user to access the information and resources they are authorized to access. Authorization is the process of specifying access rights to users—i.e., specifying what users can and cannot access. For example, a sales person should be able to access information about clients and products. However, a sales person should probably not be able to access information about other employees’ salaries.
Social Engineering or Phishing
Social engineering is when someone without authorized access to the system deceives a users with authorized access to disclose information.
For example, a trusted work colleague might say his account is locked and ask you to login using your credentials; or a neighbor might ask for your WiFi password. With these ‘borrowed’ credentials, these people may access confidential information and may even perform illegal activities. A prime target for these kinds of social engineering attacks is a new employee, or a temp or replacement employee (for example, to replace a regular employee who is taking a sick day). These types of employees are usually less familiar with security policies and are not as familiar with other employees, so they are easier to manipulate and trick.
One of the most common forms of social engineering is Phishing. Phishing is a fraudulent technique for obtaining one’s private information through an email. Phishing emails typically ask you to provide personal information, or they may also ask you to click on a link that will lead to a website that asks for personal information or that is infected with malware. As several examples, hackers pretending to be an IT department might ask for your email’s password to verify an account.
Some emails may look very personable, using your actual name in the salutation, referencing people who you know, or appearing to come from someone you know. These personalized phishing messages are known as spear phishing.
Never give out sensitive information in an email
Be cautious clicking on links in emails. Although the underlined text of a link may say it is going to one website (e.g., www.chase.com), in reality, it may be going to a fraudulent URL (www.18.104.22.168/chase.com). If you are prompted to click on a link to a seemingly credible website, manually type the address into the browser instead of clicking on the link. This will ensure that the link goes to the URL you think it is going to.
Be cautious clicking on attachments. Clicking on a bad attachment can install malware on your computer or record your personal information. Before clicking on an attachment ask yourself whether you are expecting this attachment and whether you trust the attachment.
Enable a spam filter in your email. Spam filters will tag characteristics of a phishing email and tag messages from known phishers.
Network sniffing refers to covertly intercepting or reading packets on a network. When you send information over the internet (such as an email, website request, instant message, payment information, etc.), it is divided into segments (known as packets) and sent across the network. If the proper precautions are not in place, however, these packets can be viewed by third parties as they are being transmitted. Watch the video below for an example.
One way to protect your data from being readable to such parties is through encryption. Encryption is the process of encoding a message (or information) in such a way that third parties cannot easily understand it. For example, encrypting the text ‘hello world’ using the Blowfish algorithm (a common encryption tool) translates to: XTiH6vLfjYz2rZWPhBVrng====. Most encryption algorithms require a public key—a publicly available key or code that tells the algorithm how to encrypt the data. However, to decrypt a message (turn it back into readable text), the receiver must have a private key—a key (which is not normally shared with other people) that tells the algorithm how to decrypt the data. If you use a secured-wireless network that requires a password, your computer automatically encrypts data before sending it.
Some webpages (such as banks, email providers, etc.) will encrypt your data before the data is transmitted from your computer. You can recognize which webpages provide this functionality by looking at the URL. If the URL is preceded by “https” (Hypertext Transfer Protocol Secure), your data will be encrypted. If the URL is only preceded by “http,” the webpage is not encrypting your data before transmission. For example, logging into your email at “https://mail.google.com/mail/” will encrypt your username and password before sending it to Google. However, “http://mail.google.com/mail/” would not.
You can also encrypt the data on your hard drive to protect confidentiality. Doing so will protect your data if your computer is stolen. Most operating systems have utilities built in to encrypt your hard drive if desired, and some operating systems have this feature automatically enabled. You can learn how to enable this feature by searching for “encrypt hard drive windows [or mac]” in a search engine.
Only share information with websites that have a URL that starts with https.
Only using wireless networks that are secure (e.g., require a password or login).
Make sure that your personal wireless network is secured with a password.
Be hesitant sharing your wireless network password with anyone. This could allow them to perform illegal activities or introduce malware on your network.
Large dictionaries of usernames and passwords exist on the web and are freely available. For example, the RockYou dictionary contains over 32 million accounts that were stolen from a security breach. If your password is contained in this large dictionary (or others like it) and proper security controls are not in place, someone could develop a computer program that tries to break into your account with each of these passwords
If you reuse passwords for multiple accounts, hackers can steal your credentials from one site (e.g., a low-security or fraudulent website) and use these credentials to access your other accounts that share the same passwords on different sites.
Finally, A common mistake in creating a password is using personal information, such as pet names, family names, favorite sports teams, etc. Someone who knows you (or has access to your social media profile) can learn this information and try to use it to guess your passwords. For example, if you have a pet dog named “Duke,” a hacker may try this name as your password, as well as other variations of this name (e.g., Duk3, duke1234, mydogduke, etc.).
making strong passwords
One way to build strong passwords that are not as easily guessable is through passphrases. A passphrase is a sequence of words or other text that composes an easily remembered but secure password. To create a passphrase, think of a quote, song lyrics, or saying that you know. Try to avoid phrases that are famous or otherwise easily guessable. An example phrase is “I like to jump on bagpipes.” Edit this phrase by adding special characters and/or numbers and removing spaces. For example, one could substitute the number 1 for the letter i, add capital letters, substitute the number 0 for the letter o, and add special characters: *1likeTojump0nbagp1pes!. Such a password is long, more difficult to guess, and easily remembered.
Lost or Stolen Hardware
Carrying sensitive information on mobile devices can present a serious threat to confidentiality, as these portable devices can be easily misplaced, lost, or stolen. For example, if a company’s confidential customer information (i.e., account details, credit card numbers, etc.) is put on a thumb drive, and this thumb drive falls out of your pocket at a restaurant, this information may be accessed and used by anyone who picks up the thumb drive. As a second example, if you do not have a password on your smart phone and you misplace it, whoever finds it will have access to any apps or information on the phone including bank apps, emails, notes, and purchasing accounts.
Availability refers to ensuring that authorized users are able to access information and resources when they need it. To create value, information must be available when users need it.Research has estimated that the cost of an hour of downtime (i.e., the time that information or resources is not available to users) for medium-sized businesses can equate to more than $100,000.
One of the most common sources of downtime experienced on a regular basis by users is mistyped or forgotten credentials. Security managers typically implement a control to lock a user’s account after typing in a given number of incorrect passwords. This control is implemented to protect the account against hackers who are trying to guess a password through trial-and-error. Until the account is unlocked, the user cannot access the resources.
To unlock an account, the user must contact the system administrator, answer security questions, or perform other tasks. One way to avoid this type of error is through creating passphrases (discussed in the Confidentiality section). Passphrases are often both secure and easy to remember.
Conventional wisdom suggests that an average hard drive has a life span of approximately 3-5 years. In other words, it is likely that a hard drive that stores your personal files (e.g., documents, pictures, music, etc.) will likely fail at some point, and there is a possibility you may lose all your data. Like hard drives, most electronics (e.g., computers, servers, routers, switches, etc.) will wear out over time and may eventually fail. Without precautions, such failures will render information and resources unavailable to users.
The primary safeguard against hardware failures (along with most other threats to availability) is to have important information in more than one place and have backup systems in case the primary systems become nonfunctional. This is called redundancy.
One way to create a backup is through purchasing an external hard drive and copying your files periodically to that drive. Most operating systems have a utility built in that will automatically create backups to an external drive. Another effective way to back up data is online. Several online services exist that will automatically back up your files to a secure online server every time you connect to the internet (type “online backup” into a search engine for examples of providers). When a hardware failure occurs, you can restore your files from these locations.
Organizations frequently make large investments to promote availability through redundancy. Such measures include sophisticated data backup arrays, backup power supplies, and backup computer resources. In addition to these precautionary measures, many organizations have disaster recovery plans – processes, policies, and procedures for continuation and recovery of critical IT infrastructure after a natural or human-induced disaster.
Factors to consider when planning a backup system:
What - All of your Data or just selected files
Where - Onsite or offsite
Frequency - Timed Interval (every hour) or Continuous (after every change)
Versions - How many versions of the same document should you make in your backup to protect against unintended changes
Security - Use encryption codes so others cannot understand your data and physical security to protect your hardware from physical damage
Distributed Denial-of-Service Attacks (DDOS)
A distributed denial-of-service attack (DDOS) refers to a coordinated effort to flood a system (e.g., a website) with traffic—such as having millions of computers trying to request a web page at once—to bring down the system and make it unavailable to users.
One way to combat a denial-of-service attack is through a firewall (see below). A firewall is a piece of software or a hardware device that monitors incoming and outgoing traffic on a network and decides what traffic is allowed based on a set of rules. A firewall can:
block computers conducting a DDOS attack
limit the number of ways an attack can come in by restricting which ports are open. Each port acts as an entrance or exit for a specific type of traffic, thereby limiting which types of traffic are allowed to pass through.
limit what leaves a network by using rules and ports.
perform many other security functions. All of the functions in a firewall are designed to check and limit all data moving into and out of an internal network.
Firewalls may be implemented at several different levels. For example, your computer likely has a firewall built in that limits what types of traffic can come in and go out of it. A group of computers in a network may also be protected by a firewall. Before data is allowed to enter an organization’s network, it can be screened by a firewall and thereby stopped before it even reaches the individual computers. The best line of defense is to have several firewalls implemented in an organization. At the lowest level, every computer should have a firewall. At the highest level, all traffic should be screened before entering or leaving an organization.
Data integrity refers to protecting data from unauthorized modification or deletion. An unauthorized change to data may occur from someone accidentally deleting or modifying data despite having good intentions. For example, a breach of data integrity would occur if a well-intended employee accidentally deletes a historical sales database. An unauthorized change can also be conducted by someone with malicious intent—i.e., a hacker intercepting a message and changing or deleting its contents. This section outlines several controls that can be implemented to protect data integrity.
Incorrect File Permissions
One way that data integrity is compromised is through incorrect file permissions. File permissions refer to rules that specify what can and cannot be done to a file. For example, most operating systems allow you to specify whether a file or folder can be read (opened or the contents viewed), modified (changed), or executed (run, if it is a program). In Windows, you can right-click on a file to see these settings. You can select a user and edit what that user is allowed to do (see below). On a larger scale, organizations can specify who can access and modify resources using group policies (policies that specify what users and computers can do). Once a group policy is implemented at the organizational level, all computers on the organization’s network will then enforce it.
Lack of Version Control
If an unauthorized modification or deletion does occur, it is important to have the ability to restore the previous version of the data. This can be accomplished through version control. Version control is the management of changes to files (e.g., documents, websites, computer code, etc.).
When using version control, a file is saved as ‘revision 1’ in the version control system when it is created. If you make a change to that file, the date and time of the change are documented, and the revised file is saved as ‘revision 2’, and so on. If someone made an unauthorized change to a document, you can restore a previous version of the document by selecting a revision number and clicking restore.
Many applications such as word processors (e.g., Microsoft Word, Google Docs) keep track of each time you save a document and allow you to revert your document to a previous version. File sharing and backup services (e.g., Dropbox) also keep track of each time you edit and save a file and allow you to restore the file to a previous version if desired.
When transferring data across the internet, packets can become corrupted or (in some cases) even intercepted and changed before reaching their final destination. One way to help ensure that data was not modified during transmission is through checksums. Checksums utilize cryptography (i.e., encryption) to create a unique signature for a file and its contents. This signature is often referred to as a hash. A person can create a hash of a file, transmit the file, compute another hash of the file at the destination, and compare the two hashes to ensure nothing has changed.
A popular checksum algorithm includes the MD5 message-digest algorithm. The MD5 algorithm will translate the contents of a file to a 32-digit hexadecimal number. For example, the MD5 hash for a certain 176-page document is: b4e5cbd6142aa849440784c8722c66b9. Deleting a few sentences from this document results in the following hash: d82487abf6f32e72420cb9da6f18f3a1. By comparing the two hashes, one can conclude that the file has been modified.
The Onion Model - Defense in Depth
The more layers a hacker must penetrate to access sensitive data or resources, the less likely a hacker will succeed. For example, if a museum wants to keep a rare painting safe, they would:
lock the museum doors at night
put the painting in a glass vault
activate a security system to detect intruders
have a security guard patrol the area
Likewise, if a company wants to keep data safe, they would:
encrypt the data
put it on a secure server behind locked doors
require that a user enter a username and password to access the data
only transmit information over secure channels
deploy intrusion detection systems (full-time monitoring tools that search for patterns that may indicate an attack)
Many other security precautions may be taken as well. Having multiple layers of security is known as defense-in-depth . One way to conceptualize defense-in-depth is through the Onion Model.
The Onion Model compares security to an onion. In the middle of the onion is the sensitive data or other resources that you want to protect. However, this core is protected by several layers of the onion. Likewise, in security, sensitive data and resources should be protected by several layers of security controls.
Get in touch
Do you want to know more? We’d love to hear from you!