Protecting against data breaches

Photo by cottonbro

Imperva, Inc. has warned of the fragmented ecosystem of cyber defense controls that risks exposing enterprises to increasingly troubling data breaches.

With lessons gleaned from analyzing 100 data breaches globally and drawing from direct experience partnering with enterprises in Asia-Pacific, it also issued advice to better safeguard against today’s threats.

In 2022, the Imperva Threat Research Team analysed over 100 of the largest and most well-known data breaches. The study revealed that a greater number and higher frequency of breaches has occurred in the last decade. An increasing amount of stolen data is being exposed and sold on the dark web.

Often, this is used in extortion attempts, to commit financial fraud, and as fuel to create phishing and other social engineering campaigns, which in turn leads to more data breaches.

Data breaches are caused by a variety of issues – such as poor security practices like using unprotected publicly accessible services (Microsoft, Advanced Info Service) or weak authentication. Some victims also suffer a large fallout from a seemingly small error, such as forgetting about data left behind in temp files from ETL jobs and storing database passwords in clear text.

As enterprises turn to the cloud or work with partners already on the cloud, they are finding that the new IT environment requires a different and often more sophisticated set of controls to adequately secure. Microservices, open-source code, and API are used when developing modern applications.

Combined, these add to the cyber security challenge by organically widening an organisation’s risk footprint, often doing so without the organisation’s awareness. 

The common practice of using disparate cybersecurity tools also leave gaps in an organisation’s ability to identify and mitigate threats.

Common security issues in Asia-Pacific enterprises

In interactions with customers in the region, Imperva has identified specific vulnerabilities that often go unattended or are inadvertently introduced:

  • Unauthenticated APIs that are exposed to the public Internet with direct access to a database, where customers’ Personally Identifiable Information (PII) like driver’s licence number and other sensitive data is stored. In 2022, this issue caused at least two major large-scale breaches of more than 10 million records in Asia-Pacific.
  • Poorly secured application login points that are susceptible to account takeovers. Once working credentials are verified by attackers, these vulnerabilities often lead to exfiltration of user data from the database used by the application. Valid login credentials are often used by attackers to perform more sophisticated reconnaissance of the application and attacks involving API exploitation.
  • Broken application/API data authorisation that leads to one user with legitimate credentials being able to access other users’ data. Malicious actors can make use of this vulnerability, also called Broken Object Level Authorisation (BOLA), to steal data.  By authenticating as one user and then using basic programmatic iterating of a select API parameter, an attacker can gain access to other users’ data outside their intended authorisation scope.
  • Weakly designed and coded APIs behind API gateways on a cloud service provider have been exploited by attackers to gain access to vast amounts of PII data in a database. Although victims may have used API gateways, they did not provide security capabilities that were comprehensive enough to detect and/or mitigate the attacks. 
  • Poor practices around database integration and migration activities where subsets of temporary data are left behind and often open to public access. This usually happens when migrating from one database flavour to another, or when moving one’s data to the cloud or between cloud service providers. Not doing so correctly inadvertently exposes data to cyber attackers.

“These issues are hard to mitigate because most SOC teams do not have access to data-centric logging telemetry that tells them what is happening on a granular level, from the application/API layer all the way down to the database access level,” said Reinhart Hansen, Director of Technology, Office of the CTO, Imperva. “Organisations are flying blind when it comes to identifying anomalous and abusive data access that could be a data breach in flight or a key indicator that a breach is about to happen.”

A data-centric approach to data security

To overcome today’s complex cybersecurity challenges, enterprises have to go beyond network and endpoint security to adopt a data-centric security strategy.

This means focusing on the lifecycle of the data they are responsible for. It is important to know where the data is, who is accessing it and why, and how frequently. The more that an enterprise can map out how users should be interacting with their data, the easier it is to detect threats, regardless of the source. Specifically, they should:

  • Gain complete, automatic visibility into all data stores. You cannot protect what you cannot see. Visibility from a single dashboard makes it easier to see something anomalous, no matter if it’s an insider or outsider threat.
  • Know their “normal” data state. Recognising normal enables you to configure your security solution to call out only things that are not normal so you can orchestrate a response and remediate efficiently.
  • Avoid overwhelming the SOC. Wasting effort investigating false positives creates alert fatigue and makes it hard to find the real threats.
  • Implement plain language, actionable insights, and alerts. automated and prioritised data-centric security alerts drive a more effective incident responses process.  Where possible Security Orchestration, Automation, and Response (SOAR) technology should be used to eliminate the human bottleneck from incident detection and response.
  • Go beyond the platform. Most security teams use too many tools to protect data. A data security platform may integrate some and not others, and the results are often lacking. A data security fabric integrates seamlessly with the most effective data security tools to provide unprecedented visibility and protection.
  • Train their people. Data-centric security requires people in the organisation to be committed stewards of preventing breaches. Ensure people don’t use unsecured public cloud services, follow password policies, and learn to recognise phishing and other social engineering scams.

“In most of the breaches analysed by Imperva, the lack of in-depth security stands out as the main reason,” said Hansen. “Actions organisations can take to tangibly improve their security posture include reducing the attack surface through better database security, separating their database and application servers, and diluting excessive privileges from key users.”