Security Breaches: What You Need to Know

It seems every day new security breaches are announced, some of which affect millions of individuals. These breaches are about more than just data loss; they can impact the overall availability of services, the reliability of products and the trust that the public has in a brand. Read on to learn about security breaches and where you can start to minimize the chance that a breach occurs in your organization.

In this article:

• What is a security breach?
• Types of security breaches
• Examples of breaches
• Incident prevention and response

What is a Security Breach?

In cybersecurity, a security breach means a successful attempt by an attacker to gain unauthorized access to an organization’s computer systems. Breaches may involve theft of sensitive data, corruption or sabotage of data or IT systems, or actions intended to deface websites or cause damage to reputation.

Security breaches and the law
Security breaches have legal significance. Laws in some countries can expose organizations to fines or other penalties if they are breached and certain sensitive data is affected. The European Union’s General Data Protection Regulation (GDPR) defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to” personally identifiable information (PII). The USA Health Insurance Portability and Accountability Act (HIPAA) defines a security breach as “an impermissible use or disclosure … that compromises the security or privacy of the protected health information.”

Security breach vs data breach
A security breach is a general term that refers to any breach of organizational systems. A data breach is a specific event in which data was accessed, stolen or destroyed with malicious intent.

Security breach vs security incident
A security incident, like a security breach, represents an attempt by an attacker to access or do harm to organizational systems. The difference is that most security incidents do not result in an actual breach.

For example, a brute force attack against a protected system, attempting to guess multiple usernames and passwords, is a security incident, but cannot be defined as a breach unless the attacker succeeded in guessing a password.

If a security incident grants the attacker access to protected systems, it may qualify as a security breach. If the attacker obtained access to sensitive data, it is a data breach.

Types of Security Breaches

Security breaches are often characterized by the attack vector used to gain access to protected systems or data. Below are common types of attacks used to perform security breaches. For more details about these attacks, see our in-depth post on cybersecurity threats.

• Distributed denial of service (DDoS)—attackers take control of a large number of devices to form a botnet, and use them to flood a target system with traffic, overwhelming its bandwidth and system resources. DDoS is not a direct means to breach organizational systems, but can be used as a distraction while attackers perform the actual breach.
• Man in the middle (MitM)—attackers intercept communication between users and the target system, impersonate the user or the target system and use this to steal credentials or data. This allows them to gain unauthorized data or perform illicit actions.
• Social engineering—attackers manipulate users or employees of an organization, tricking them into exposing sensitive data. A common attack method is phishing, in which attackers send fake emails or messages, causing a user to reply with private information, click a link to a malicious site or download a malicious attachment.
• Malware and ransomware—attackers can infect target systems or endpoints connected to a protected target system with malicious software, known as malware. Malware can be injected by social engineering, by exploiting software vulnerabilities or by leveraging weak authentication. Malware can be used to compromise a computer system and gain remote control of it or damage or delete its contents, as in a ransomware attack.
• Password attacks—attackers can use bots, in combination with lists of common passwords or stolen credentials, to guess a password and compromise an account on the target system. Typically this is done for regular accounts with limited privileges and attackers conduct lateral movement to compromise additional, more privileged accounts.

• Advanced persistent threats (APT)—while most cyberattacks are automated and do not discern between victims, APT is an organized, targeted attack against a specific organization. It is conducted by a team of skilled threat actors over weeks or months and can involve a combination of several advanced attack techniques.

Examples of Security Breaches

Here are just a few examples of the large-scale security breaches that are uncovered every day.

Yahoo security breach
The Yahoo security breach was caused by a spear phishing email campaign, and resulted in the compromise of over 3 billion user accounts. Data exposed included names, phone numbers, security questions and weakly encrypted passwords. Many of those passwords have made their way to the dark web and form the basis for databases of stolen credentials commonly used by attackers today. The breach occurred in 2013 and 2014 but was only discovered in 2016.

Were you affected? Anyone who had a Yahoo account in the years 2013-2014 was affected by the breach.

Equifax security breach
Equifax is a credit reporting service in the USA. Attackers exploited a vulnerability in Struts, an open source framework that was used by the organization’s website. The tragedy was that this was a known vulnerability and proper procedures to patch and update website systems would have prevented the breach. The attack exposed the private information of 145 million people, including names, social security numbers and driver’s licenses, creating a serious risk of identity theft.

Were you affected? You can check if your private information was compromised and file a claim for compensation here.

Facebook security breach
In 2018, attackers gained access to 400,000 Facebook user accounts and used them to gain the access tokens of 30 million Facebook users. These tokens provide full access to Facebook accounts. Fourteen million users had private information exposed, including relationship status and recent places they visited. Fifteen million had names and contact details breached.

Were you affected? You can check if your Facebook account was breached, and to what degree, here.

Behavior Analytics: Detecting Attack Patterns to Avoid Security Breaches

Cyber attacks are getting more complicated. However, few people realize they are also becoming more automated, as attackers leverage tools to assail targets en masse. SOC teams are struggling to keep up—furiously switching between products to investigate, contain, and respond to security alerts—all while hoping nothing slips through the cracks.

SOCs not only need the appropriate tools in place, they also need a standard way to communicate and collaborate about the attacks they are detecting, investigating, and responding to. Many of the tactics and techniques modern adversaries employ would set off alerts in most SOCs. But these individual alerts have to be investigated, and evidence must be assembled manually, to get a complete picture of the attack chain to detect the breach. By the time analysts make sense of all the alerts and assemble the evidence, the attacker can gain deeper access into the organization’s network and systems.

SOC analysts need a controlled, enriched and complete timeline of events, in order to accurately pinpoint all anomalous events before they evolve into a breach. Exabeam Advanced Analytics provides just that, a Smart Timeline capability that provides all the events related to an incident—both normal and abnormal—stitched together along with risk reasons and associated risk scores.

Incident Response: Preventing and Responding to Security Breaches

Incident response requires careful planning and a dedicated team that can identify and react to security incidents, which can quickly turn into actual breaches.

The SANS institute provides a structured process for responding to security incidents and preventing breaches:

1. Preparation—developing policies and plans to deal with security incidents.
2. Identification—using tools and a clear process to quickly identify security incidents and gather data that can help security staff respond.
3. Containment—preventing the threat from causing further damage and isolating affected systems.
4. Eradication—identifying the root cause of the incident, cleaning affected hosts and monitoring to ensure the threat does not return.
5. Recovery—restoring production systems and ensuring they are no longer affected by the threat.
6. Lessons learned—understanding what worked well and what was missed during the security incident and improving the process for the next time.

Read more in our complete guide to incident response.

Conclusion

As IT systems grow in size and complexity they become harder to consistently secure, which may make security breaches seem inevitable. However, by remaining informed about your risks and taking preparatory actions you can minimize the chance of a breach. Focusing on catching incidents before they turn into breaches and learning from the mistakes of other organizations is an excellent place to start.

Want to learn more about DLP?
Have a look at these articles:

• What is DLP and how to implement it in your organization?
• Data Loss Prevention Policy Template
• Data Loss Prevention Tools