by Ian Heritage
So far, 2019 is looking very similar to last year. We’re only a month into the new year and already the headlines have been filled with news of data breaches, privacy leaks and credential stuffing attacks. And all this as GDPR regulators begin to flex their muscles by levying financial penalties. To stay clear of regulatory trouble and minimise cyber risk, IT teams should remember the best practice basics and layer up multiple connected threat defence tools.
Breaches are everywhere
So far this year we’ve seen a flood of breach notifications. These include firms as diverse as home improvement site Houzz, aerospace giant Airbus, US restaurant chain Huddle House, photography networking platform 500px, popular parenting forum Mumsnet, and software provider Image-I-Nation Technologies. As if this weren’t enough, researchers have discovered yet another group using the infamous Magecart digital skimming code to harvest cardholder data: this time from clients of a French ad agency.
Although details for some of the above incidents are still vague, it is immediately noticeable not only the diversity of the victim organisations involved but also the modus operandi of the attackers. They range from compromises of customer databases to POS malware, skimming code inserted onto websites and supply chain attacks. One (Mumsnet) was described by its founder as a breach but in all honesty was a data leak in which some users were able to see PII of others after a cloud migration glitch.
Along with cyber-attacks targeting organisations themselves, 2019 has also seen a surge in credential stuffing campaigns designed to compromise customer accounts. Big-name brands including Daily Motion, Dunkin Donuts, and OkCupid have been affected.
It’s not hard to see how such attacks have become so popular with cyber-criminals. Using off-the-shelf automated tools they can concurrently test large volumes of breached or leaked credentials on numerous sites, in an attempt to take over accounts. The underground market is flooded with such credentials: over two billion unique usernames and passwords are being circulated on the dark web under the Collection #2-5 moniker. Just this week news emerged of a separate trove of 617 million account details from various breached sites.
Joining the dots
All of this comes amidst heightened awareness over data security thanks to the GDPR. A new report from DLA Piper claims that over 59,000 separate breach reports have already been filed, with 91 fines levied so far. Greater transparency in breach reporting is to be welcomed, although each incident represents a potentially major financial and reputational hit for the victim organisation.
Trend Micro’s 2019 predictions report saw much of this coming, from the surge in breach disclosures to the increase in credential stuffing, a tactic we believe will increasingly be used to commit mass identity fraud. We even warned of the potential for breaches arising from cloud migration misconfigurations.
There’s no simple answer to the problems associated with these escalating cyber-threats. But a good starting point would be to improve enterprise security. After all, poor corporate cyber security leads to breaches, and the resulting stolen credentials are then used in automated attacks to crack open accounts and commit fraud en masse.
IT leaders should implement multiple layers of security — at network, endpoint, server and gateway — and at each stage ensure they plug-in different threat protection tools to tackle the wide variety of attack techniques out there. Thus, signature-based tools sit alongside app whitelisting, behavioural analysis, machine learning and more — with built-in intelligence choosing the right tool to deal with a particular threat at the right time. By ensuring they share the same underlying intelligence, you further improve visibility and response times.
There are no silver bullets to tackle the cyber threats organisations will be faced with in 2019. But security experts which can offer this kind of joined-up threat defence should be the first port of call for CISOs.