Q3 2019 Security Update: How Much Can a Data Breach Cost?
The Cost of a Data Breach a la GDPR
Marriott International’s 2018 data breach affecting data of more than 383 million guests has led to a $123 million fine for noncompliance with the EU’s General Data Protection Regulation (GDPR). British Airways received a $230 million fine under GDPR for its 2018 data breach that put data of 500,000 customers at risk. These penalties are the largest, exceeding the fines against Google ($57 million), Facebook ($645,000) and Equifax ($645,000).
Action Items:
- Seek legal and technical counsel to create a plan for compliance.
- Help your clients comply with software features such as:
- Maximum privacy as a default setting
- Ability to locate all of a specific consumers’ data
- Data erasure upon request, including data passed to third parties
- Processing and storing data only as long as it is needed
- Data encryption and pseudonymization
- Accurate API user logs
Healthcare Data Breaches, 2019
HIPAA Journal reports that in March 2019, healthcare data breach reports occurred at a rate of one per day. The total for the month was nearly 14 percent higher than the past 60 months and exposed records of more than 900,000 patients.
Causes of the data breaches include:
- Theft
- Unauthorized access to health records
- Phishing attacks
- Other types of cyberattacks
The BlueKeep Vulnerability
The United States Computer Emergency Readiness Team (US-CERT) Cybersecurity and Infrastructure Security Agency (CISA) issued an alert in June regarding the Microsoft OS BlueKeep Vulnerability. Microsoft advises users that a hacker can send a packet to operating systems with the vulnerability and with the Remote Desktop Protocol (RDP) enabled:
- Windows 2000
- Windows Vista
- Windows XP
- Windows 7
- Windows Server 2003
- Windows Server 2003 R2
- Windows Server 2008
- Windows Server 2008 R2
Action Items:
CISA advises users to:
- Install patches.
- Upgrade operating systems that are no longer supported.
- Disable unnecessary services, such as RDP.
- Enable network-level authentication for Windows 7, Windows Server 2008, and Windows Server 2008 R2, which can stop BlueKeep since it would require an unauthenticated session.
- Block TCP port 3389, which is used to initiate RDP sessions.
Unsecure SAP System Vulnerability
CISA also issued an alert regarding exploits that target unsecure configurations of SAP components. Cybercriminals can attack SAP systems with improper configurations with 10BLAZE exploit tools. Review configurations for:
- SAP Gateway ACL, which could allow a hacker to run OS commands.
- SAP Route secinfo, which an attacker could use as an internal host and enable remote code execution.
- SAP Message Server, which could enable an attacker to execute man-in-the-middle requests to access credentials.
Action Items:
CISA advises:
- Making sure SAP configurations are secure
- Restricting access to the Message Server
- Scanning for SAP components that are exposed to the internet and removing or securing them.
Formjacking
Symantec reports that cybercriminals have moved on from ransomware and cryptojacking to new tactics including formjacking. The number of attacks has grown to an average of 4,800 per month. Experian compares this type to skimming a physical credit card, but a site infected with formjacking malware steals data as you enter it in a form. Symantec estimates that if a cybercriminal can steal data from 10 credit cards per website, they can earn up to $2.2 million per month.
Action Items:
- Ensure third-party applications are not infected.
- Scan for malicious code.
- Use subresource integrity (SRI) tags to verify that files haven’t been changed.
- Use a robust security solution that can stop formjacking attacks.
Ransomware Targeting Network Attached Storage (NAS)
The Hacker News reports that a new type of ransomware is attacking Linux-based NAS devices produced by Taiwan vendor QNAP Systems.
Action Items:
- Do not connect NAS devices directly to the internet.
- Keep firmware up to date.
- Use strong passwords to secure NAS devices.
- Back up data on NAS devices, so if an attack does occur, it won’t be necessary to pay ransom.
For more news and insights, visit DevPro Journal’s Security page.
Gloss