Note: This blog post is an extract from the Graphs for Cybersecurity white paper by Dave Voutila, Gal Bello, Tara Jana, and Deb Cameron.
Cyberattacks had been on the rise for years, with nation state threat actors and foreign hacking collectives joining in, devoting more time and resources to attacks. To effectively mitigate cybersecurity risks, we need advanced data solutions that empower us to correlate and analyze connections at a real-world scale.
In the introductory blog to this series, we discussed how attackers and defenders think, as well as why graph databases are a strong fit for cybersecurity.
In this part 1 of the series, we’ll provide an overview of threats, tradeoffs related to cloud versus on-premise deployment, and a look at sources and impacts from security breaches.
Social engineering refers to manipulating people into performing actions against their interests or those of their organization. For example, an attacker may trick people into giving out sensitive information over the phone or leave a memory stick containing malware in a company parking lot, hoping that a curious employee will connect it to a computer. A seemingly small initial breach can result in significant subsequent attacks. Phishing is just one type of social engineering, and yet, according to a PwC report, it accounts for over half of all reported security incidents.
Ransomware involves removing a person or company’s access to their data or systems. The attacker offers to reinstate access if a ransom is paid and may threaten to publish extracted data if a ransom payment is not made. It is a financial and potentially a reputational risk if customer systems are unavailable or sensitive data is published. Ransomware is reportedly the top cybersecurity risk for small and medium-sized businesses. For example, disruption from a ransomware attack in 2017 is estimated to have cost the UK’s National Health Service £92,000,000.
Distributed denial-of-service (DDoS) attacks are carried out using hijacked computers that send so many requests to a service that it cannot carry out its regular work. “Denial of service” means that the computer systems will no longer function, leading to potential severe loss. Cisco estimated that by 2023, the number of DDoS attacks would increase to as many as 15.4 million per year.
Risks from third-party vendors. Most companies use third-party vendors for commodity services so they can focus on their core business services, providing a competitive advantage. However, this benefit runs increased security risks when third-party software is compromised and exposes your systems or data. From 2017 to 2019, the number of data breaches caused by third-party vendors increased by 35%. Recently, an exploit on Fujitsu’s ProjectWeb leaked 76,000 addresses from the Ministry of Land, Infrastructure, Transport, and Tourism in Japan.
Security Tradeoffs: On-Premise Versus Cloud
Hosting systems yourself offers maximum control, but there’s a tradeoff – full responsibility. The hardware, the network, and everything running on it must be staffed, designed, built, and maintained.
Keeping software and systems you manage secure requires constant vigilance and discipline. You must monitor for new vulnerabilities in all software, operating systems, utilities, and hardware that your organization uses. Patching is essential.
While cloud services can bring huge advantages, their users undeniably give a third-party organization some control of their systems. However, there is less visibility of how the systems work and their dependencies and, therefore, less ability to assess and mitigate risks.
Often your team needs to provision cloud systems, and each cloud provider offers its own configuration tools. A lack of in depth experience may lead to misconfigurations and potential security holes. You can mitigate this by getting help from cloud vendors or partners, but then you have the overhead of granting third parties access to your cloud systems.
If a cloud system is hosted in a different country, it may not be subject to the data protection laws that you must comply with. And you will be responsible for any fines for noncompliance, not the cloud provider.
Organizations need to do a cost-benefit analysis of different options on the spectrum of control and flexibility and find the optimal point for each use case. One option is to run a hybrid model where you manage systems handling crown jewels with a high breach cost in-house while you can run less critical resources in the cloud after putting careful policies in place.
Sources of Security Breaches
External breaches exploiting vulnerabilities are the classic attack vector, but an organization can be vulnerable to breaches by insiders even with perfect security in place. According to a 2019 Verizon report, internal parties were involved in over a third of breaches. They can provide information to external parties to enable their access or can directly leak data requiring privileged access. That said, insider involvement may be intentional or unintentional (as with phishing and other forms of social engineering).
Impacts From Cybersecurity Breaches
The impact of cybersecurity breaches is manifold, from loss of productivity to reputation damage to fines, all of which directly or indirectly impact the bottom line.
Downtime creates a loss of critical organization capabilities, an inability for customers to access systems, which often means an immediate loss of sales.
A Forbes report found that 46% of organizations suffer reputation damage following a data breach. Data protection regulations oblige companies that suffer a data breach to inform their customers, and the media may report on it, further impacting your brand’s reputation.
Remediating any type of breach comes with financial costs. The average cost of a data breach in 2021 was $4.24 million. On top of these costs, many countries and industries have regulations requiring organizations to secure personal data they hold. Violations of these regulations come with stiff fines and penalties.
Companies operating in the European Union can face fines of up to 4% of annual gross revenues if they violate the General Data Protection Regulation (GDPR). Google was fined $50,000,000 in 2019 for such offenses. GDPR has become a model for similar regulations worldwide, such as the California Consumer Privacy Act and Brazil’s LGPD.
In the U.S., HIPAA protects personal healthcare information (PHI). Companies must not disclose such information to anyone except a patient and the patient’s authorized representative without their consent. If breached, the fine can be up to $25,000 per violation category per year. In 2020, Premera Blue Cross was fined $6,850,000 for unauthorized access to the PHI of more than 10 million individuals.
PCI DSS is an industry standard rather than a regulation, but it fills a similar role for card issuers and any merchant storing, processing, or transmitting cardholder data. It protects payment card information internationally by requiring accredited companies in breach of its rules to pay fines up to $100,000 monthly. The Equifax data breach in 2017 compromised 147 million Americans’ social security numbers, birth dates, addresses, driver’s license numbers, and credit card numbers. The settlement cost $425 million.
Cyber threats take place in different forms from various sources. Understanding the tradeoffs between hosting systems on-premise and cloud as well as the impact of cyber breaches can help you identify a solution that best suits your needs.
In the next part of the series, we’ll walk you through cybersecurity policies and strategies to consider, with some simple graph queries to show you how you might implement them.
(Or read the full-length Graphs for Cybersecurity white paper).