Cybersecurity Breaches

Let's take a look at how hackers breach systems. Cybersecurity statistics vary wildly depending on which source you use as there is no central authority. It is also difficult to get accurate data since most companies don't release data regarding compromises. It's a hodge podge mishmash of misinformation with no standardized categories. We looked a few reasonable sources¹ and used data based on successful cybersecurity attacks. Then we took a SWAG and here's what we found:

Attack Type	Description	Percentage
Phishing Attacks	Email,SMS,social media, & social engineering	40%
Identify Based Attacks	MITM,Credential Harvesting/Stuffing/Stolen, Brute Force	33%
Misconfiguration Attacks	Application Vunerabilities, SQL Injection, XSS	19%
Insider Threats	Employees stealing credentials / data	6%
Other	Third Party / Supply Chain	1%
Zero Day Attacks	Unknown exploit	.3%

Sources: 1 - Palo Alto Australia     UN International Computting Centre (UNICC)     Dark Owl     Centia Institute

Your Defenses Look Like Swiss Cheese

If you are in a midsize or large company, then you most likely have a very large cybersecurity attack surface. You have hundreds or thousands of employees which means hundreds and thousands of computers, cellphones & IoT devices. You have on-prem and remote employees and many of those also utilize their own personal computers that lack anti-virus and endpoint protection. You also probably have a wide variety of systems & applications to secure and your defenses invariably have plenty of holes. No company has the time, money or resources to keep every system up to date. Many software vendors don't even patch vunerabilities in a timely manner. You probably also have old systems still running that are no longer supported and you haven't had time to upgrade or rewrite them. There is always a system that isn't patched to the latest & greatest software version. A vunerability in an old unimportant system could lead to access to a critical system if you aren't carefully managing the blast radius.

You're Pissing In the Wind

Even if a company manages to achieve the nearly impossible task of keeping their systems up to date, there are still so many exploits and vunerabilities to contend with like Zero Day Attacks, Phishing, Social Engineering, Viruses & Ransomware. The front door may be locked and secure, but the hackers are tunneling under the floor. Furthermore, even if a magic cybersecurity AI were developed tomorrow that could prevent all Zero Day Attacks, Phishing, Social Engineering, Viruses & Ransomware you're still not out of the woods because you have employees. The hackers are insiders and they're in the building right now. They could be your users, your vendors or your sys admins. Disgrunted employees have nothing to lose and everything to gain. This is what you're up against. This is what keeps a Chief Information Security Officer (CISO) up at night. In Cybersecurity, only the truly paranoid survive unscathed.

Some Of Your Data Is Already Compromised

No matter how stringent your cybersecurity controls are, how many audits or pentests you've passed or what cybersecurity framework you're using, some of your data is already compromised. How? Because some of the data that you store & protect isn't really yours alone. Especially customer data like names, addresses, social security numbers, email addresses, phone numbers & passwords. All of that data you are so diligently protecting has already been leaked by some other inept company that had zero knowledge of cybersecurity. You aren't really protecting anything because the data is already compromised and is stored on the dark web where it is downloaded by hackers daily.

Hackers Are Getting Smarter

With the rise of AI & smart technology, hackers are using increasingly advanced techniques. In recent examples, hackers targeted an employees' social media account and then used AI to clone their voice. Using the cloned voice, they then convinced help desk personnel to change the user's password and MFA to gain access to critical systems. Hackers can use AI recording devices to record meetings and automatically transcribe it into text. Hackers can wear smart glasses to screen record data directly to the glasses, no USB device is required to exfiltrate data.

Your Sensitive Data Isn't Where You Think It Is

We can pretty much assure you that you don't know where all of your sensitive data is stored. Everyone from the CEO, middle management, secretaries, help desk employees and sys admins have data in places that aren't secure & you aren't aware of. They have sensitive data stored everywhere from cloud storage accounts, USB drives, email, phones or their own personal computer. The CEO has probably emailed copies of sensitive documents to board member's AOL accounts (yes, we said AOL) who have then saved or forwarded those same documents using insecure methods. You're most likely not using encrypted email at all. We've seen this time and time again through various Data Classification Engagements. Cybersecurity Operational Security (OPSEC) is atrocious or non-existent.

You're Still Vunerable Because You Don't Go Far Enough

Ok, you have the best cybersecurity in the world, your data is uniquely yours and you absolutely know where all of your sensitive data is and have top notch OPSEC. Bad news, you're still cooked. Why? Because you don't go far enough. Snowden smuggled terabytes of data out of the NSA who had sloppy OPSEC.

Some OPSEC Questions & Your Likely Answers

Question	Answer	Exposure
Do you have users not using physical hardware MFA keys?	Yes	Access Controls
Do you still allow links in emails?	Yes	Phishing, Malware
Do you allow USB drives to be used on your computers?	Yes	Data Theft / Exfiltration
Do you allow screenshots?	Yes	Data Theft / Exfiltration
Do you have employees?	Yes	Access Breach, Malware, Viruses, Ransomware, Data Theft / Exfiltration
Do you allow employees to use mobile phones at work?	Yes	Data Theft / Exfiltration
Do you allow employees wear glasses at work?	Yes	Data Theft / Exfiltration
Do you allow browser plugins?	Yes	Data Theft / Exfiltration
Do any of your employees to use social media?	Yes	Data Theft / Exfiltration
Do you allow outbound email?	Yes	Data Theft / Exfiltration

If you answered yes to any of those, you're vunerable. Pucker up.

You're Always Swimming Upstream

In cybersecurity, you are always vunerable because you have an impossible task. You have to stop 100% of attacks, but hackers only need to pull off one. You have outside & inside threats to worry about. Everyone from state sponsored cyber attacks to disgruntled employees are eyeballing your systems and data. The cold hard truth is that if someone really wants your data, it will be very difficult to stop them.

So What Are We Supposed To Do?

Since you can't really stop 100% of attacks & threats as we've discussed so what do you do?

• You identifiy as much sensitive information as you can, label & track it.
• You limit access to sensitive data & systems.
• You only allow access using physical MFA keys.
• You identify all critical systems.
• You limit your blast radius for all systems.
• You monitor all access to critical systems.
• You keep critical systems patched & updated.
• You encrypt all sensitive data.
• You audit everything & everyone.
• You implement & practice good OPSEC.
• You background check every employee.

You do the best you can with the employees, knowledge & budget you have.

Cybersecurity Quotes

• "Amateurs hack systems, professionals hack people." -Bruce Schneier


• "It takes 20 years to build a reputation and five minutes to ruin it." -Warren Buffet


• "Encryption is the defense against the dark arts in the digital realm." -Edward Snowden


• "Cybersecurity is much more than a matter of IT." -Stephane Nappo


• "There's no silver bullet with cybersecurity, a layered defense is the only viable option." -James Scott


• "Phishing is a major problem because there really is no patch for human stupidity." -Mike Danseglio


• "When it comes to cybersecurity, you aren't paranoid enough." -Jeffrey T. Hazelwood