Invicti Insights: Lessons from high-profile breaches and security blunders

In 2013, the average cost of a data breach was $3.5 million. Today, that number tops $4 million, with some estimates closer to the hefty $5 million mark. Even though a decade has passed, those costs show no signs of shrinking, and bad actors are always on the hunt for new ways to infiltrate organizations and make an expensive getaway with the goods. 

A lot has changed since 2013, but one truth remains: security is a dynamic landscape where the threat of incidents looms over every business, large and small. Safeguarding critical digital assets and data is no longer merely a nice-to-have. Successful modern security programs are built on a foundation of proactive risk management, with the right policies and tools in place for continuous coverage. 

They’re also built on trust. Your employees need confidence that their tools and systems are working reliably alongside them, and your customers and partners must trust that you’re prioritizing data privacy while protecting their sensitive information. But trust and confidence don’t always come easy – especially with headline-making breaches reminding everyone that faltering or misstepping even a little bit in your security program can cause a domino effect of disaster, both financially and for a brand’s reputation.  

With those ever-increasing price tags likely causing more than a few sleepless nights for leadership, it’s crucial that we’re all paying attention and learning from past security blunders so we can avoid repeating the same missteps. We sat down with Invicti’s CISO and VP of Information Security, Matthew Sciberras, to learn more about what he considers to be some of the most noteworthy security incidents in recent years and what leadership can do to safeguard data privacy, protect their brand, and increase confidence.

Thinking back over the past 5-10 years, which data breaches and security incidents really stand out to you? Why do you think they’ve had such an impact on the industry?

Matthew Sciberras: We’ve seen many significant data breaches and incidents over the past decade, affecting both individuals and the industry as a whole. Probably one of the most impactful and far-reaching incidents was the Equifax breach of 2017 that affected approximately 147 million Americans. Hackers exploited an Apache Struts vulnerability in the Equifax website, gaining access to sensitive personal information, including names, social security numbers, birth dates, addresses, and also some driver’s license numbers. The breach highlighted the importance of robust cybersecurity practices and the need for organizations to prioritize the protection of consumer data.

 

Also making an appearance in 2017, the WannaCry ransomware attack infected hundreds of thousands of computers worldwide, targeting systems running outdated versions of Microsoft Windows. The malware encrypted files on the compromised systems and demanded ransom payments in Bitcoin. The incident also affected critical infrastructure, including hospitals and government agencies, highlighting the vulnerability of outdated software and the need for regular security updates and patches.

 

More recently, the SolarWinds attack (2020) was a highly sophisticated supply chain compromise that impacted numerous organizations, including government agencies and major technology companies. Hackers inserted malicious code into SolarWinds software updates, allowing them to gain unauthorized access to the networks of SolarWinds customers. The incident revealed the potential for vulnerabilities in software supply chains and the challenges of detecting and mitigating supply chain attacks.

 

These milestone incidents had a significant impact due to their scale, the sensitive nature of the data compromised, and the repercussions they had on individuals, organizations, and society at large. They all served as wake-up calls for the industry, highlighting the need for enhanced cybersecurity measures, improved data protection practices, and increased awareness of the evolving threat landscape.

Is there an incident in particular that you think is a great example of how foundational security practices (or a lack thereof) can make or break a business?

Matthew Sciberras: The Equifax data breach is a prime example of how foundational security best practices are important to be implemented at any organization, regardless of size. The breach occurred due to a vulnerability within Apache Struts which Equifax had failed to update in their credit dispute portal. Reportedly, the data exfiltration occurred around two months after the security hotfix was issued. 

 

Personally, I feel that this could have been avoided if proper controls were in place with the likes of vulnerability management and a thorough patch management procedure. DAST tools play an important role here as well, and given the right DAST tool, many such security incidents could have been identified and properly mitigated.

What do you think are some of the most critical steps organizations should take today to prevent security blunders that lead to avoidable breaches?

Matthew Sciberras: Organizations should consider implementing several critical steps and best practices to minimize security risk. These start with establishing a robust cybersecurity framework that includes policies, procedures, and controls to ensure the security of networks, systems, and data. The framework should encompass areas such as access control, encryption, vulnerability management, incident response, and employee awareness training. Conducting regular risk assessments is also a must to identify vulnerabilities, assess potential threats, and prioritize security measures accordingly. This process should include evaluating the organization’s infrastructure, systems, and applications, as well as analyzing the potential impact of different security incidents.

 

To ensure a secure network infrastructure, organizations should Implement strong network security measures, including firewalls, intrusion detection and prevention systems, and secure configurations. The next step in securing access is to enable multi-factor authentication (MFA) for all systems and applications that contain sensitive information. MFA adds an extra layer of security by requiring users to provide additional verification, such as a temporary code sent to their mobile device, in addition to their passwords. 

 

Employee training and awareness is crucial to educate employees about the importance of cybersecurity and establish a culture of security within the organization. Provide regular training sessions on topics such as phishing attacks, social engineering, password hygiene, and safe browsing habits. Encourage employees to report any suspicious activities or potential security incidents. Regular software updates and patching are fundamental InfoSec hygiene to ensure that all software, applications, and systems are up to date with the latest security patches and updates. Vulnerabilities in software are often exploited by attackers, so timely patching is crucial to mitigate the risk of known vulnerabilities being exploited. 

 

With data being the prime target, data encryption and protection should include the encryption of sensitive data, both at rest and in transit. Utilize strong encryption algorithms to protect data from unauthorized access or interception. Additionally, establish data classification and access control policies to ensure that sensitive information is only accessible to authorized personnel.

 

To make sure you’re prepared, develop a well-defined incident response plan that outlines the steps to be taken in the event of a security incident. This plan should include procedures for identifying, containing, mitigating, and recovering from security breaches. Regularly test and update the plan to ensure its effectiveness. Third-party risk management should be another routine procedure to evaluate the security practices of third-party vendors and partners that have access to the organization’s systems or data. 

 

Establish clear security requirements in contracts and agreements with third parties and regularly assess their compliance with these requirements. And finally, you should ensure you have continuous monitoring and threat intelligence. Implement continuous monitoring of network traffic, systems, and applications to detect and respond to potential security incidents in real time. Stay updated with the latest threat intelligence and industry trends to proactively address emerging threats.

How important is it for leadership at any organization to take an active role in security and help prevent avoidable issues?

Matthew Sciberras: Leadership’s active role in security is of paramount importance for any organization. For starters, leaders set the tone for the entire organization. When leadership prioritizes and emphasizes the importance of security, it sends a clear message to employees that security is a fundamental aspect of the organization’s operations. Leaders also play a critical role in resource allocation for cybersecurity initiatives. By providing adequate budget, personnel, and technology, leadership empowers the security team to implement robust security measures, conduct regular risk assessments, invest in necessary tools, and stay ahead of emerging threats. Without leadership support, it becomes challenging to implement effective security measures.

 

For policy and strategy development, leadership is responsible for developing comprehensive security policies, strategies, and frameworks. This includes establishing guidelines for data protection, access control, incident response, and employee training. Effective security also requires collaboration and communication across different departments and levels of the organization. Leaders need to encourage cross-functional collaboration between IT, security teams, legal, HR, and other relevant stakeholders. By fostering open lines of communication, leaders can ensure that security concerns and incidents are promptly reported, addressed, and resolved.

 

Leaders have a crucial role in understanding and managing risk. They should actively participate in risk assessments, prioritize security initiatives based on the identified risks, and make informed decisions regarding risk mitigation strategies. Leadership involvement in risk management helps align security efforts with business objectives and ensures that security measures are proportionate to the organization’s risk appetite.

 

Keeping up with compliance and regulations is also vital. Leaders need to be knowledgeable about relevant compliance requirements and regulations in their industry. They should work closely with legal and compliance teams to ensure that the organization adheres to applicable laws and regulations related to data protection, privacy, and security. Leadership commitment to compliance helps protect the organization from legal and reputational risks. Overall, the leadership’s active role in security is vital for establishing a strong security posture, fostering a culture of security, and ensuring that security measures align with organizational goals. When leadership actively engages with security initiatives, it significantly enhances the organization’s ability to prevent security issues, mitigate risks, and protect sensitive data.

What are the first critical steps a security leader should take in the event of a major breach or issue?

Matthew Sciberras: When things go wrong, the first step to take is to activate your incident response plan. The plan should outline further steps to be taken in response to a security incident, including roles and responsibilities, communication protocols, and escalation procedures. Next, you should assess the scope and impact by conducting a rapid assessment to understand the scope and impact of the breach or security issue. Gather as much information as possible about the nature of the incident, the systems or data affected, and the potential risks to the organization, customers, or stakeholders. This assessment will help guide subsequent actions and response efforts.

 

Then comes the time to contain and mitigate by taking immediate action to contain the breach and mitigate further damage. This may involve isolating affected systems or networks, shutting down compromised accounts, changing passwords, or temporarily suspending affected services. As you do this, you should take care to preserve and collect evidence related to the breach or security incident. This includes logs, network traffic data, system snapshots, and any other information that can help in forensic analysis and investigation.

Timely and transparent communication is vital to maintaining trust and managing reputational damage, so the next step is to notify relevant parties. You need to determine the appropriate parties that need to be notified about the incident. This may include law enforcement agencies, regulatory bodies, affected customers or users, business partners, and any other stakeholders who may be impacted or have a legal or contractual obligation to be informed. You should also communicate with and provide support to all other stakeholders, maintaining open and transparent communication throughout the incident response process. 

 

As you investigate the incident, be prepared to engage external experts. Consider engaging external cybersecurity experts or incident response teams to provide specialized expertise and support. They can assist in forensic analysis, identifying the root cause, closing security gaps, and guiding the organization through the incident response process. 

 

Once the dust settles, take the opportunity to learn and improve. Conduct a post-incident review and analysis to identify lessons learned and areas for improvement. Assess the organization’s response to the incident, evaluate the effectiveness of existing security controls and processes, and identify gaps or weaknesses that need to be addressed. Use these insights to update incident response plans, enhance security measures, and improve overall resilience. Finally, review and update security measures based on the findings and lessons learned from the incident. This may involve enhancing security controls, implementing additional monitoring tools, conducting employee awareness training, or reassessing risk management strategies.

By following these critical steps, a security leader can effectively respond to a major breach or security issue, minimize damage, protect the organization’s assets, and facilitate the recovery process.

You’ve been in tech for 20+ years and InfoSec for 12 years, amassing a wealth of knowledge about the security space – what is one piece of advice or knowledge that you think is critical for other leaders to succeed?

Matthew Sciberras: Your security posture is as strong as your weakest link. I strongly believe that there is no secret sauce for a bulletproof solution; if threat actors want to infiltrate your organization and try hard enough, they will eventually succeed. 

 

What is important is to fail fast and have a proper incident response plan with the right rulebooks in place to cater for the different areas of threats. Throwing money at a problem is not the best solution – ideally, you should have a collective approach on how to minimize your attack surface and understand what your threat vectors are.

Staying one step ahead of impending threats

Application security doesn’t lend itself to a cookie-cutter, one-size-fits-all approach to reducing risk. Organizations must assess their own situations, determine which tools and processes will help alleviate security pain points, and continuously improve their strategies for the most effective results. This all starts with leadership. It’s essential that leaders keep an eye on the trends, potential risks, and best practices if they want to stay one step ahead of the next big threat.

Stay tuned for more insights from Invicti’s experts in this series!