Data Breach Security From A To Z

Data Breach Security Basics

Companies face daily threats from cybercriminals, hacktivists and nation-state-sponsored hacking groups. Financially motivated cybercriminals typically use automated tools to spread a wide attack campaign, gaining as many victims as possible. Hacktivists are politically motivated and often use distributed Denial-of-Service attacks as a weapon to cripple or bring down a website. Nation-state-sponsored hacking groups choose a specific target and stealthily conduct cyberespionage activities on a network over extended periods of time. Their aim is to steal intellectual property, email and other sensitive documents.

Security experts say focusing on basic security controls can greatly reduce risk. Cybercriminals typically target the lowest-hanging fruit, such as unpatched software and common configuration weaknesses, to gain a foothold in an organization, establish a communication channel with a remote server and quickly steal sensitive data. To keep up to speed with the changing security landscape, here's a look at data breach security from A to Z.

Account Credentials

Successful attacks often use stolen or guessed passwords to gain access with backdoor Trojans and retain access on systems with those legitimate account credentials, according to the 2012 Verizon Data Breach Investigations Report. The firm, which analyzed 855 data breaches involving more than 1.7 million stolen records, urges organizations to change default passwords on point-of-sale systems and other Internet-facing devices. Stolen login credentials were used in 32 percent of the firm's analyzed breaches. In 2012, cybercriminals posted nearly 6.5 million LinkedIn passwords on the Internet, further highlighting the problem of failing to provide account credential protection. Exploitation of default or guessable credentials took place in 44 percent of breaches.

Encourage employees to use strong passwords by setting up a strong password management policy and enforcing it, Verizon said. The most common password used by businesses is "Password1" because it satisfies Microsoft Active Directory default complexity settings.

Black Hole Attack Toolkit

The Black Hole attack toolkit is the most widely used by cybercriminals. The toolkit is licensed out and can be customized and updated with exploits that target the latest known vulnerabilities. Occasionally, the kit contains an exploit targeting a known zero-day vulnerability. Attackers use the tool to set up a malicious Web page with JavaScript that determines the vulnerable software on a victim's machine. Patching can seriously reduce the threat of being a victim of Black Hole, say security experts, who urge users to keep their browsers up to date with the latest security updates and ensure that browser components, such as Java and Adobe Flash, are kept current on patching.

Credit Card Data

Credit card and other customer information is the most frequently targeted data type, making up 89 percent of breach data investigated by the Trustwave SpiderLabs' forensics investigators in its 2012 Global Security Report. According to the report, industries with franchises, such as the food and beverage and hotel industries, had the highest percentage of breaches. Those firms typically lacked IT teams, making satellite locations especially vulnerable, Trustwave said. Credit card data should be protected by end-to-end encryption and never be stored, according to the Payment Card Industry Data Security Standards (PCI-DSS).

Data Loss Prevention

Data loss prevention systems are designed to keep track of credit card data, Social Security numbers and other personally identifiable information, as well as to enforce security controls to ensure that the data is protected before it leaves the network. A DLP system can be set to block sensitive data from leaving endpoint systems via email or thumb drive. DLP systems have been commonly deployed as part of compliance initiatives in the health-care or retail industries. More advanced DLP systems can tag and keep track of identified intellectual property to prevent it from being mishandled.


Businesses deploy encryption to protect sensitive data, keeping cybercriminals from gaining access to the encrypted information if it is properly deployed. Data can be protected in transit or at rest to protect access to the data if a laptop or storage device is lost or stolen. Most data breach notification regulations do not require an organization to make a public notification of a breach if the data is properly encrypted and the encryption keys haven't been exposed.

Fuzz Testing

Software security experts urge software vendors to add fuzz testing to their software development life cycle to find security problems that can be exploited by attackers. Using a fuzzing tool, testers typically input random data into a computer program to see if it crashes or contains other common errors targeted by attackers, such as SQL injection or cross-site scripting. For example, Microsoft said it uncovered 1,800 coding errors in Office 2010 by running millions of fuzzing tests as part of its software development life cycle.

Google Aurora

Operation Aurora was uncovered in 2009 when Google and dozens of other companies fell victim to an attack originating from China that targeted human rights groups and individuals of interest to the country. The cybercriminals used the Hydraq Trojan, delivered using an Internet Explorer vulnerability, to carry out the attacks. More than 30 tech firms were infiltrated using spearphishing email messages containing malicious PDF files. The attackers continue to be active today, and in a report issued by Symantec, the so-called Elderwood gang is believed to be behind a number of targeted attacks with the goal of intellectual property theft.


Hactivists had a serious impact on data breaches in 2011, according to the Verizon Data Breach Investigations Report. Hacktivists are motivated for political or personal reasons and attempt to hack a target to shame or embarrass the organization. Denial-of-Service attacks are a common weapon used by hacktivists to cripple or take down a website and sometimes find coding errors in the targeted organization's website in an attempt to take it down and deface it. Members of the Anonymous collective were responsible for a spate of attacks that resulted in stolen data. LulzSec, a loosely connected Anonymous hacking group, was responsible for hacking into Sony Pictures in 2011, stealing user account data and forcing Sony to halt its gaming platform. The group also gained access to HBGary Federal, stealing research and email information and posting the information to the Pirate Bay file-sharing service.

Incident Response Plan

A good incident response plan will help reduce the time it takes for threat detection, threat containment and system restoration. Verizon investigators say speed and execution are equally critical. Acting quickly without conducting full incident mitigation can result in mistakes and increase the costs of a breach. Having an incident response plan and conducting thorough training reviews help organizations be prepared. An incident response plan can help organizations anticipate a potential breach, identify individuals who should be part of a response team and ensure that a communications plan is in place when a problem happens. It also provides a structure, identifying the roles and responsibilities of people throughout the incident process. A thorough incident response plan should be revisited often and carefully assessed and adjusted when corporate systems and policies change.


Security holes in Java appear to be the leading cause of Black Hole infections, according to the Sophos 2013 threat report. In 2012, more than 600,000 Mac users were infected by the Flashback botnet as a result of a Java vulnerability left unpatched on OS X. Sun Microsystems, which developed Java and was acquired by Oracle in 2010, put security in place to protect the Java virtual machine, but the fact that it is so widely deployed makes it an attractive target for attackers. Java's complexity and age make it difficult to protect. It is widely used at enterprises, but security experts say IT teams can use registry zones to implement tighter restrictions, controlling where Java is running in the environment.


Keylogger Trojans help cybercriminals capture credit card numbers, account credentials and other sensitive bank account data by recording the keystrokes of a victim's system. Most keylogger programs run covertly to avoid alerting the user that their actions are being monitored, according to the Verizon Data Breach Investigations Report. Verizon recommends businesses restrict user administrative rights, issue one-time passwords for IT admin access to endpoint systems, employ Web content filtering and blacklisting, and conduct security awareness training to help end users avoid being infected by a keylogger.