Most Data Breaches Are Result Of Identity Theft

CyberCrimeSecurity
identity deception fraud social engineering security © Pretty much everyone knows that passwords aren't supposed to be shared. Passwords exist to protect your information and your employer's information from being seen by people who shouldn't see it and who could cause serious damage if they do access it. This is why you have a strong password on your banking information (you DO have a strong password on your bank account, don't you?) So how is it that Edward Snowden managed to get the passwords that gave him access to thousands of secret documents? According to a story from Reuters, Snowden did it in the easiest way possible. He asked for it. But of course there's more to it than that. What Snowden did was tell a couple dozen of his coworkers that he needed their passwords because he was a system administrator. Those coworkers, knowing that Snowden was fully cleared, figured it was safe, and gave him the passwords. Snowden used that trust to raid the NSA files of everything he could find. Remote Data Replication: Combat Disasters And Optimize Business Operations Watch It Now Leaving aside the propriety of what Snowden did, the fact that he was able to get the information he did with other people's login information speaks volumes. Perhaps more important, it speaks those volumes directly to you and your employer. Snowden exploited a weakness that exists at nearly every company or organization and which can be overcome only by having the right security policies and the right training. That weakness is trusting the wrong people at the wrong time. The obvious question is how this applies to you and your organization. After all, the chances are pretty good that you're not sitting on a pile of state secrets. But the chances are that your company has plenty of information that has value to your competitors, to criminals, or to people who want to use that information for other dubious purposes. Do you really want the outside world to see your customer list? Your financial statements? Your supply chain or manufacturing details? Probably not. Unfortunately, if you lose control of your organization's passwords, you're doing just that. But you can limit the problem by implementing some basic practices, making sure your staff is trained and then retrained frequently. Here are some things you can do: 1. Require passwords that are hard to guess, but don't go overboard. If you require passwords that are too complex, nobody will remember them. You know what happens next—yellow sticky notes on their monitors. That doesn't really help security. 2. Control what happens if a password is shared. It's easy to say that your staff should never under any circumstances share a password. But that's not how things work in the real world. Sometimes a system administrator really does have a reason to request a user's log-in credentials. 3. When that happens, what should the user do? That depends, but at the least they should know that they should then immediately change the password. You might also want to require that any password-sharing request be reported on a routine, easy-to-fill-out form that will disclose the action to whomever you designate to handle this, such as your IT manager. 4. Make password changes easy to accomplish, and automate the reporting process so that every such change is logged. 5. Don't depend on complex control software as a primary means of user verification. It might be useful, but nothing works as well as good practices properly followed. Remote Data Replication: Combat Disasters And Optimize Business Operations Watch It Now Require two-factor authentication for access to information that's really important. Many companies use a smartcard that doubles as an access card and organizational ID card. This reduces the problem of stolen log-in credentials. More complex methods of access control certainly exist and should be used under extraordinary situations, but are not always appropriate. It's important to remember that maintaining access security requires the willing cooperation of your staff. This means that you have to tell them what needs to be protected, the means they should follow to protect that information and what they should do if they suspect that protection has been compromised, even by someone who claims a plausible reason to do so. Here's one way such a procedure might work: One of your workers with access to something sensitive, such as human resource data, requests help with a problem logging in to the network. Somebody from the help desk asks for the log-in credentials to see what the problem is and to try to fix it. The person being helped provides the information and then immediately sends an email to a designated manager saying something like this: "I provided my log-in info to Sam Smith from the help desk to fix a log-in problem. My extension is 123." Once the log-in problem is solved, the employee should immediately change their password. That change will be recorded by your network management system where it can be verified by a manager or security staffer. Will that eliminate all data loss? Of course not, but it will eliminate some of it. It requires little in the way of resources and it allows management follow-up since problems—including an administrator who seems to be asking for a lot of passwords—will show up quickly. While you can throw automation at such a problem, at some point the most basic answer is training and management. It's hard to be more effective than that unless you already have training and management practices to enforce password discipline in place already. Shutterstock
1 58 No Comments

Identity theft takes top spot in breach study, accounting for 53 percent of data breaches

Data breaches increased by 10 percent during the first six months of this year compared to the first half of 2014.

This was the finding of digital security specialist Gemalto’s Breach Level Index for the first six months of 2015, which found that 888 data breaches occurred, compromising 246 million records worldwide.

Compromised data

The study also revealed that the number of compromised data records declined by 41 percent

This decline can most likely be attributed to that fact that fewer large scale mega breaches have occurred in the retail industry compared to the same period last year.

digital identityDespite the decrease in the number of compromised records, large data breaches continued to expose massive amounts of personal information and identities. The largest breach in the first half of 2015 – which scored a 10 in terms of severity on the Breach Level Index – was an identity theft attack on Anthem Insurance that exposed 78.8 million records, representing almost a third (32 percent) of the total data records stolen in the first six months of 2015. Other notable breaches during this analysis period included a 21-million-record breach at the US Office of Personnel Management; a 50-million-record breach at Turkey’s General Directorate of Population and Citizenship Affairs; and a 20-million-record breach at Russia’s Topface. In fact, the top 10 breaches accounted for 81.4 percent of all compromised records.

Jason Hart,vice president and CTO for data protection at Gemalto, said: “What we’re continuing to see is a large ROI for hackers with sophisticated attacks that expose massive amounts data records. Cyber criminals are still getting away with big and very valuable data sets. For instance, the average healthcare data breach in the first half of 2015 netted more than 450,000 data records, which is an increase of 200 percent compared to the same time last year.”

The number of state-sponsored attacks accounted for just two percent of data breach incidents, but the number of records compromised as a result of those attacks totalled 41 percent of all records exposed, due to the breaches at Anthem Insurance and the US Office of Personnel Management. While none of the top 10 breaches from first half of 2014 were caused by state-sponsored attacks, three of the top ten this year were state sponsored, including the top two.

At the same time, malicious outsiders were the leading source of data breaches in the first half of 2015, accounting for 546 or 62 percent of breaches, compared to 465 or 58 percent in the first half of last year. 46 percent or 116 million of the total compromised records were attributable to malicious outsiders, down from 71.8 percent or 298 million in 2014.

Identity theft remained the primary type of breach, accounting for 75 percent of all records compromised and slightly more than half (53 percent) of data breaches in the first half of 2015. Five of the top ten breaches, including the top three – which were all classified as Catastrophic on the BLI – were identity theft breaches, down from seven of the top 10 from the same period last year.

Across industries, the government and healthcare sectors accounted for about two-thirds of compromised data records (31 percent and 34 percent respectively), though healthcare only accounted for 21 percent of breaches this year, down from 29 percent compared to the same period last year. The retail sector saw a significant drop in the number of stolen data records, accounting for four percent compared to 38 percent for the same period last year. Across regions, the US represented the largest share with three-quarters (76 percent) of data breaches and nearly half of all compromised records (49 percent). Turkey accounted for 26 percent of compromised records, with its massive GDPCA breach in which 50 million records were breached by a malicious outsider.

The level of encryption used to protect exposed data – which can dramatically reduce the impact of data breaches – increased slightly to four percent of all breaches compared with one percent in H1 2014.

“While the number of data breaches fluctuates, it’s still clear that breaches are not a matter of ‘if’ but ‘when.’ The Breach Level Index data shows that most companies are not able to protect their data once their perimeter defenses are compromised. Although more companies are encrypting data, they are not doing it at the levels needed to reduce the magnitude of these attacks,” added Hart.

“What is needed is a data-centric view of digital threats starting with better identity and access control techniques including multi-factor authentication and strong encryption to render sensitive information useless to thieves.”

According to Forrester, as cybercriminals have become more skillful and sophisticated, they have eroded the effectiveness of traditional perimeter-based security controls. The constantly mutating threat landscape requires new defensive measures, one of which is the pervasive use of data encryption technologies. In the future, organisations will encrypt data – both in motion and at rest – by default. This data-centric approach to security is a much more effective way to keep up with determined cybercriminals. By encrypting, and thereby devaluing, sensitive data, organisations can make cybercriminals bypass their networks and look for less robustly protected targets. Encryption will become a strategic cornerstone for security and risk executives responsible for their organisation’s data security and privacy efforts.

Are you a data breach expert? Take our quiz to find out!


Click to read the authors bio  Click to hide the authors bio