[ad_1]
Therefore, when we come across blaring news of data breaches and other such cybercrime, it is always helpful to understand the various different hacking methods that a malicious attacker may use to cause harm. This is particularly beneficial for CIOs and CISOs who are trusted to secure enterprises. We, here, bring you the key highlights of a study conducted by Safe Security, capturing the most common types of hacks and attacks against businesses today.
“This study is the result of what we have found after analyzing the most popular hacks from 2019 to 2022,” says Rahul Tyagi, Co-founder, Safe Security.
Misconfigurations and data breaches are the most common forms of hacks
“As we analyze the hacking landscape from 2019 to 2022, it’s evident that the most prevalent forms of cyber attacks were misconfigurations and data breaches. Additionally, Ransomware remains a persistent threat, leveraging weak credentials to gain access to valuable data which can then be held for ransom. Other types of hacks, such as Social Engineering, Cyber Espionage, Insider Threats, Supply Chain Attacks, and Spear Phishing, pose significant risks to organizations and must be taken into consideration as part of a comprehensive security strategy,” adds Tyagi.
It is worth noting that these types of hacks typically occur due to a lack of proper security protocols, creating a vulnerability for malicious actors to exploit.
Deep dive into some of the hacks involving misconfiguration
Giving examples from the past year, the report refers to the attacks against Crypto.com, RedCross, Facebook, etc.as hacks arising out of misconfiguration.
In January 2022, Crypto.com detected suspicious activity where transactions were being approved without the 2FA control being inputted by the user. Crypto.com said 483 of its users were affected and unauthorized withdrawals of over $15 million worth of ETH, $19 million worth of BTC, and $66,200 in “other currencies” had occurred. The total loss, worth over $34 million at current cryptocurrency values, was even higher than what analysts had predicted before Crypto.com released its statement.
In the case of RedCross, misconfiguration led to the compromise of personal data and confidential information of more than 515,000 highly vulnerable people, who are part of the Restoring Family Links program. “The intrusion was a highly-sophisticated targeted attack on ICRC’s systems and not an attack on third-party contractor systems, as the attackers created code designed solely for execution on the targeted servers within the ICRC’s infrastructure. Hackers gained access to the ICRC’s network by exploiting a known but unpatched critical-rated vulnerability in a single sign-on tool developed by Zoho, which makes web-based office services. The vulnerability was given a CVSS severity score of 9.8 out of 10,” says the report.
In the same way, the personal data of over 500 million Facebook users was posted online in a low-level hacking forum in April, 2021. “A group of hackers scraped users’ profile data by exploiting a vulnerability using misconfiguration in Facebook’s contact importer. However, Facebook dismissed the incident as a data scraping issue, unavoidable for social media platforms. The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million users in the UK, and 6 million users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and – in some cases – email addresses,” reveals the study.
Examples of hacks involving data breach
Instances of data breach would include Canva (May 2019; 78 million users’ Gmail addresses were exposed through a single incident), Houzz (January 2019; it was claimed that some publicly visible information from a user’s Houzz profile was affected along with internal identifiers and fields that have no meaning to anyone outside of Houzz), and Zynga (September 2019; hacker claimed to have accessed the data of more than 200 million players of Zynga games).
In the case of Canva, a hacker named GnosticPlayers took credit for the breach and claimed that along with Canva, he or she had made off with more than 1 billion user credentials. This particular hacker or hacker group is quite prominent and responsible for posting 932 million users’ data on the dark web. The consequences of which were that 78 million users’ Gmail addresses were exposed through this single incident. “Canva defended its position by stating that its passwords use Bcrypt security and would be nearly impossible for hackers to crack each person’s password. The passwords were also salted (additional characters added to each one). However, only 61 million of the 139 million users had salted passwords encrypted using Bcrypt. The others logged in using Google tokens (Gmail). Canva suffered a significant data breach which cost them 139 million user records,” says the study.
Regarding the incident, Houzz said some publicly visible information from a user’s Houzz profile could be affected, such as name, city, state, country, and profile description, along with internal identifiers and fields that have no meaning to anyone outside of Houzz. Usernames and scrambled passwords were also taken, said the company.
In September 2019, Zynga was at the receiving end of a hack. Outside hackers accessed a database containing account information of players that installed the game, Words With Friends before September 2, 2019. A hacker going by the name Gnosticplayers claimed responsibility for breaching the data of more than 200 million Words With Friends accounts which included both Android and iOS players. The hacker then claimed to have accessed the data of more than 200 million players of Zynga games, including Words With Friends and Draw Something accounts. Recently, however, a website that allows users to check if their data has been compromised in a breach has reported that the breached data included 173 million unique email addresses, usernames, and hashed/salted passwords. Zynga contacted affected users at the time. According to the company, no financial information was accessed.
Learnings for CIOs and CISOs
Mckinsey states “When it comes to technology risk and cyber risk, organizations are increasingly shifting toward a risk-based approach to determine their priorities for controls. Those controls should be based on their current security capabilities, the likelihood of threats, and the impact of any potential cyber breach.”
Therefore, it’s crucial for CIOs and CISOs to stay informed and be proactive in the face of these evolving threats; regularly review and strengthen their security measures to protect their organizations against potential hacks.
“As CISOs evolve from cybersecurity experts to business leaders, they need platforms that are able to measure cybersecurity risk and articulate it in a business context – what is the financial impact in different cyber risk scenarios?” asks Tyagi.
With continuous and always-on risk visibility, and dollar-value insights, CISOs will have the ability to accept, manage, or transfer cybersecurity risks before breaches happen – protecting business revenue and preventing regulatory scrutiny, immediately positioning cybersecurity as a business value driver, adds the report.
Conclusion
On analyzing these breaches, a pattern emerges: cybersecurity risk management was threat-driven when instead it should have been risk-driven, says the study and advocates for Cyber Risk Quantification (CRQ) strategy that empowers organizations to create a risk-based and objective framework for proactive cyber risk management.
“Advanced CRQ platforms collect signals from across an enterprise’s cybersecurity ecosystem and provide real-time cyber risk exposure visibility. Enterprise-wide exposures are mapped against Mitre attack framework’s tactics, techniques, and procedures to provide dynamic visibility to the entire kill chain. CRQ empowers the modern CISO with knowledge of where the greatest risks lie, enabling them to manage or transfer the most significant risks. They have ROI-driven data to justify cybersecurity investments,” says Tyagi.
[ad_2]
Source link