Security Breaches
Information security breaches take many forms. These include lost or misplaced data media, stolen laptops and cell phones, hacked systems, data lost or stolen in transit, information taken by rogue employees, and more. Damage done by a security breach can be measured in both tangible and intangible terms.
Tangible damage is calculated based on estimates of lost business, lost productivity, labor and material costs to repair the breach, labor and legal costs associated with the collection of forensic evidence, and the public relations costs to prepare statements. Increases in insurance premiums and legal costs related to defending the organization in liability suits can also be tangible damages.
The intangible damages refer to costs that are difficult to measure or calculate. Much of this cost is due to a loss of competitive advantage due to the breach. This can stem from a loss of customer confidence, bad press, or the possibility of proprietary information falling into the hands of competitors.
Kinds of Security Breaches
There are a number of different types of security breaches. This is also a moving target as technology evolves. Here are some of the types of security breaches an organization may have to face:
- System exploits—These include Trojan horse programs, computer viruses, and other malicious code.
- Eavesdropping—This is the act of passively gathering information. Eavesdropping can take the form of sniffing network and wireless traffic, intercepting Bluetooth traffic, and even using equipment to remotely pull information from monitors due to electromagnetic fields (EMFs).
- Social engineering—This is an exploitation of human nature and human error as discussed previously.
- Denial of service (DoS) attacks—These are purely damaging attacks, meant to render a system unusable.
- Indirect attacks—This involves using a third party’s system to launch an attack. Distributed denial of service (DDoS) attacks are an example of this. Rather than directly attacking the target, hackers first compromise other systems and use those to launch their primary attack.
- Physical attacks—These range from the technological aspects of unauthorized access to the utilization of devices like keystroke loggers, to outright theft of equipment.
This isn’t a comprehensive list, and new vectors of attack are always being developed, but it does give you an idea of what the IT security field is facing.
Why Security Breaches Occur
The why of a security breach is almost as diverse as the how, but can be generalized into two categories: monetary gain and vandalism of systems.
Hackers and Crackers
Hackers have historically been known as white-hat hackers or ethical hackers—the good guys. They hack into systems to learn how it can be done, but not for personal gain. Crackers have been known as black-hat hackers or malicious hackers—the bad guys. They hack into systems to damage, steal, or commit fraud. Many black-hat hackers present themselves as white-hat hackers, claiming that their actions are innocent. However, most mainstream media put all hackers in the same black-hat category. The general perception is that all hackers are bad guys.
Be aware though that Linux users and the open source communities think of themselves in a positive way as hackers—people who just want to create better software. The Linux world defines people who are threats to information security as crackers.
Financial gain takes numerous forms. Intruders in a system could look for valuable data to sell, personally identifiable information to steal and use, or physical equipment to resell. Insider information to gain an advantage in stock trading is also often targeted. Accounting and human resources are also tempting targets. There have been cases of direct deposit information being tampered with, causing paychecks to be deposited into the incorrect account. DoS and DDoS attacks have even been used in extortion.
NOTE
A spam remailer is a hidden mail server that is used to relay spam so its origins are obscured.
Monetary gain motives may not even involve the organization attacked, just their servers. Spam remailers commonly get installed during web server security breaches. Malicious code can also be injected into a company’s website to try to infect customer computers for identity theft purposes.
NOTE
Monetary gain and vandalism can overlap. During the early stages of the U.S. war in Iraq, a group of Middle Eastern hackers were defacing websites of U.S. companies with anti-American messages. While they were in the systems, they also installed spam remailers to help fund their group.
Vandalism is the other major category for security breaches. This can be as harmless as kids having “fun” or trying to make a name for themselves among their peers, to groups making a political statement, and even individuals and groups protesting an organization.
Implications of Security Breaches
Computer security is a critical issue for any organization. A breach in system security that damages an organization’s computer systems can result in financial costs, loss of customer trust, and legal penalties.
There is also the possibility of ongoing system security issues. Did the intruders build themselves some additional backdoors for later access?
What disclosure must happen after the breach? Depending on the industry and what was taken, an organization may be obligated to disclose the breach to the public. This must be done in a timely manner, especially if customer data were accessed. Not only is it a good business practice—allowing customers a chance to ward off identity theft—it may also be legally mandated.
An organization will also have to take a long look at its security procedures. Did the technology that was used fail? If so, what will it take to mitigate the issue, and does the organization need to upgrade or change systems?
Was it due to a human failure? If it was human error, more awareness training may be needed. If it was due to malicious users or rogue employees, access audits may be in order to make sure that no one has access to information that they do not need.
The breach may also be due to a failure in procedure. If this is the case, new procedures must be developed.
The Impact of a Security Breach Can Be Significant
A credit card processing company called Acme Credit Card Processing received notice from two of the larger card issuers that fraudulent credit card purchases were occurring. Prior to receiving the notification, Acme did not know that there was an issue.
After some investigation, the problem was discovered in Acme’s system. A spyware program was loaded onto Acme’s system that originated with a spear phishing attack. A well-crafted email was sent to an employee who clicked a link that infected his system with malicious code. The malicious program was able to pull the credit card information off Acme’s system for every card that they processed. This information was sent to a remote system, where data thieves were able to use the information to clone credit cards. Any consumer who used a credit card somewhere that utilized Acme’s processing could potentially be affected.
The impact to Acme was significant. There was the cost of removing every trace of the spyware, both in monetary and time resources. Acme had to pay fines due to various industry and legal regulatory groups. Acme also had to communicate the breach to all consumers affected. There was also the impact to Acme’s reputation. Secure transactions are vital for a processing company. A number of merchants who used Acme’s services moved to other processing companies. Acme enhanced its email security and launched a user awareness program in an attempt to prove to customers that security breaches of this nature would not happen again.
Financial Impact of Security Breaches
As discussed above, the costs of a security breach to an organization can come in both direct and indirect forms. The direct costs to a financial breach can be easily identified. They come in the form of equipment replacement costs, security upgrades and enhancements, additions, and other monetary costs paid to repair the damage done.
Monster.com security breach. In 2007, Monster.com discovered that intruders had obtained personal information from 1.3 million résumés stored there. The breach affected both Monster.com and USAJobs.gov, a government jobs site that Monster.com runs for the United States government. Monster.com officials estimate that it cost $80 million to upgrade security on the sites. These upgrades included better monitoring of site access and stricter access controls and intrusion prevention systems.
NOTE
The indirect costs of a security breach can be difficult to identify. The costs of contacting all of the individuals affected by the security breach, defending the organization from legal action, and loss of reputation are some examples of these costs.
TJX security breach. The TJX Companies, Inc., which operates stores such as T.J.Maxx and Marshalls, disclosed a massive security breach in 2007. The customers affected by the security breach were offered free credit monitoring at the expense of the organization. TJX also had to settle a civil suit with MasterCard for an additional $24 million. In addition, TJX is still the defendant in other litigation and claims on behalf of customers and other credit card companies who were damaged as a result of the computer intrusions. Besides the millions in legal liabilities, there are also untold costs in lost reputation and customer trust. Unknown numbers of former customers will no longer shop at T.J.Maxx due to the loss in consumer confidence.
New York Times security breach. In 2013, The New York Times and other major media outlets announced that Chinese hackers had infiltrated their internal systems, seeking information on confidential sources within the Chinese government. While the direct financial impact of this type of attack is hard to quantify, it is likely that it had a chilling effect on potential future sources who may question the newspaper’s ability to maintain confidentiality.
Equifax security breach. In September 2017, the credit-reporting agency Equifax announced that it had been the victim of a data breach that exposed the sensitive personal information of over 147 million individuals. Attackers were able to exploit an exposed vulnerability in the Apache Struts service running on Equifax servers and used it to exfiltrate massive amounts of personal information. In July of 2019, the Federal Trade Commission announced a settlement with Equifax that included $425 million in compensation to the victims of the breach.
The impact to an organization’s market share due to a security breach is an additional cost. There are recovery costs to regain market share, rebuild reputation, and restore customer and shareholder confidence. The continuing potential damage to an organization could be significant if its customers and stakeholders feel that they can no longer trust the access control safeguards in place to protect sensitive information.
Information assurance is critical for any organization. An organization’s data are key assets and must be treated as such. Access control safeguards are essential to ensure that measures are in place to prevent unauthorized access. If data are accessed, there must be mechanisms in place to identify what was accessed. TJX executives, in their initial communications, advised that they did not have enough information to estimate the extent of the data loss. Without robust auditing to determine the extent of a breach, affected customers cannot be alerted in a timely manner, which causes more legal liabilities. An organization needs both strong access controls and auditing mechanisms; a failure in these systems can lead to staggering direct and indirect financial losses.