Insights

Why Bother Hacking When Firms Keep Leaving the Doors Wide Open?

J.S. Held Strengthens Forensic Accounting and Financial Investigations Expertise and Expands Suite of Services in Canada with Acquisition of ADS Forensics

Read More close Created with Sketch.
Home·Insights·Articles

Introduction

If your company suffered a data breach, wouldn’t it be at least a bit comforting if you knew it was because an army of criminal geniuses had spent months trying to penetrate your fortress-like defenses?

Imagine the effort they must have gone through. They’ve tried every form of phishing, spearphishing, smishing, vishing, and whaling. They’ve sent fake printer and HVAC engineers to try to penetrate the data centers. They’ve tried to get their spies recruited to work in sensitive positions. They’ve bribed and blackmailed. And their dozens of hoodie-wearing hackers have been frenziedly typing ones and zeroes into their terminal windows (because that’s how hacking works, apparently!).

Then at least you’d know that you didn’t really stand a chance. At least you’d still be able to hold your head up high.

What would be somewhat less comforting would be to discover that you weren’t really hacked at all; that the army of criminals barely had to try. The data just appeared before them, and all because of the one word that crops up again and again when you read about data breaches:

Misconfiguration

According to Verizon’s recently released Data Breach Investigations Report, 17% of data breaches were caused by ‘errors,’ the largest part of which is misconfiguration. This might not sound like a lot, but it’s double what it was last year, and second only to hacking as a cause of breaches.

Even way back in 2018, the IBM X-Force Report found that in the preceding year there was a “424 percent jump in breaches related to misconfigured cloud infrastructure, largely due to human error.”

Here are a few recent examples:

  • Clearview AI is a company which already courted controversy with privacy concerns over its facial recognition software and social media photo scraping. As detailed by TechCrunch, for a time in February a ‘misconfigured’ server allowed direct and indirect access to Clearview’s source code, credentials, and internal files. A statement from Clearview’s lawyer, Tor Eklund, said “Security is Clearview’s top priority. Unfortunately, data breaches are a part of life in the 21st century.” So… that’s ok then?! (Answer: No.)
  • A database held by developer C-Planet IT Solutions, with details of over 330,000 voters in Malta, was exposed to the internet. Considering the population of Malta is fewer than 500,000 people, this is quite the breach. The data included names, addresses, gender, phone numbers, and dates of birth; a pretty good haul for potential fraudsters. According to Malta Today, “The company was notified of the leak via email in February, but there was no reaction – the hole in the server was only closed around March 9th.” C-Planet IT Solutions described this as a ‘mishap,’ or in other words, "Please move along, nothing to see here!"
  • Five ‘misconfigured’ Amazon S3 buckets exposed uploads by up to 14 million users of ‘One-Stop Shopping Solution’ Key Ring. The researchers at vpnMentor, who discovered the breach, detailed the staggering breadth of personal information people trusted this company to keep secure in their Key Ring digital wallets. This included everything from Medical Marijuana IDs to NRA membership cards; credit cards to Government ID cards. As Key Ring had no privacy or data protection policy on their app website, it’s kind of hard to know what measures they intended to have in place to protect data. A clue, perhaps, to how seriously they were taking data security.

How Can You Avoid the Misconfiguration Pitfalls?

There is a long list of things you can do to prevent human error from splashing your data all over the internet, but I’m going to condense it to just three main points:

Know your data

  • What data are you storing and why?
  • How and where is it stored, transported, and backed up?
  • Who and what has access, and how is this authenticated?
  • How is access logged, and how are those logs audited?

Make no assumptions

  • Don’t assume your data audit gives you the full picture.
  • Don’t assume that you or your developers know everything about cloud security.
  • Don’t assume that the default settings for protecting cloud data will prevent unauthorized access.

Don’t Mark Your Own Homework

Almost every day, there’s a news story about a company that should know better carelessly exposing personal data on the internet. Clearly in most cases they either didn’t know the databases were there, or they made assumptions about availability and access.

Given the harm that can be done to people and businesses by criminals who would make use of the data, this is utterly inexcusable.

Don’t be one of those companies that gets caught because you don’t try to find out what you don’t know.

Acknowledgments

We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.

Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.

Kevin can be reached at [email protected] or +1 843 890 8596.

Find your expert.

This publication is for educational and general information purposes only. It may contain errors and is provided as is. It is not intended as specific advice, legal, or otherwise. Opinions and views are not necessarily those of J.S. Held or its affiliates and it should not be presumed that J.S. Held subscribes to any particular method, interpretation, or analysis merely because it appears in this publication. We disclaim any representation and/or warranty regarding the accuracy, timeliness, quality, or applicability of any of the contents. You should not act, or fail to act, in reliance on this publication and we disclaim all liability in respect to such actions or failure to act. We assume no responsibility for information contained in this publication and disclaim all liability and damages in respect to such information. This publication is not a substitute for competent legal advice. The content herein may be updated or otherwise modified without notice.

You May Also Be Interested In
Perspectives

Strategies to Avoid Cyber Insurance Claim Challenges: Part II

In Part II of addressing cyber claims challenges, we identify gaps in coverage and quick fixes for a smoother claims process....

Perspectives

Benefits of a Virtual Chief Information Security Officer (vCISO) in the Age of AI-Driven Cyberattacks

A Virtual Chief Information Security Officer (vCISO) can be a cost-effective solution to AI cyberattacks....

Perspectives

Cybercrime vs. Cybersecurity: Learning the Tactics of Criminals to Protect Your Interests

To safeguard our digital lives, both the "inside out" security approach and the “outside in” prevention approach are needed....

 
INDUSTRY INSIGHTS
Keep up with the latest research and announcements from our team.
Our Experts