Vulnerability Assessment vs. Penetration Testing
Jan 11 2023
Cyber Awareness
Two of the most important steps for maintaining a robust cybersecurity posture are vulnerability assessment and penetration testing.
Data breaches can affect billions of individuals in today's data-driven world. As attackers exploit the data-dependencies of everyday life, digital transformation has expanded the supply of data moving, and data breaches have scaled up with it. Some of the companies that have been victims of such events in recent years are:
Taobao, Alibaba's Chinese online retail site, suffered a data breach that exposed 1.1 billion client records, including user IDs and mobile phone numbers. The data was gathered in November 2019 using a web crawler placed on Taobao's website. According to reports, no encrypted data such as passwords was accessed.
Alibaba had estimated that almost 925 million people utilize its Chinese retail platform at least once a month. Because so many mobile phone numbers were exposed, there could be a significant increase in identity theft-related crimes.
A person must register for a mobile phone number in China using their national identity number. Furthermore, Chinese consumers frequently use their mobile phones to sign up for internet services. Knowing a person's mobile number could make it easier for fraudsters to access their social media accounts or obtain other personal data.
A Facebook data breach exposed the personal information of over 533 million people to cyber criminals. The user's name, date of birth, current city, and wall posts were all included. A white hat security group discovered the vulnerability in 2021, and it has been active since 2019. The 2021 Facebook data breach is still fresh in many people's minds.
This incident occurred when data thieves grabbed data from Facebook's servers through a contact importer misconfiguration. As a result, they could acquire access to millions of people's personal information.
While it is unknown what the crooks intend to do with all this information, it could be utilized for large-scale social engineering attacks in the future. Although Facebook recognized this as an external attack, the core cause of this and similar breaches is a typical occurrence: misconfiguration problems.
An archive of data allegedly from a 500 million LinkedIn account had been put up for sale on a well-known hacker forum, with post authors leaking an additional 2 million records as an example of proof of concept. The four shared files contained the name, email address, phone number, work information, and other details of the LinkedIn users whose data was allegedly deleted by the attacker. Users of hacking sites could access the leaked sample for about $ 2 with forum credits, but attackers are auctioning a database of 500 million users, for at least four digits, with Bitcoin.
Unknown intruders broke into Kaseya's network over the Fourth of July 2021 and spread ransomware to at least three managed service providers (MSPs), with the possibility of affecting many more. The malware encrypts files on infected computers, making them inaccessible to users.
An attacker who compromises an MSP can obtain access to any of the company's clients. The Kaseya hack is likely to have affected both cloud-based and on-premises clients in this situation. While Kaseya claims that less than 0.1 percent of its customers were affected, the impact on those 1,500 customers could have been significant.
According to a report by ZDNet and reports from multiple international media, the personal information of more than 538 million members of the Chinese social network Weibo was on sale online.
An attacker claims to have accessed Weibo in mid-2019 and obtained a dump of the company's user info in adverts on the dark web and elsewhere.
The database is said to have contained information on 538 million Weibo users. Personal information included genuine names, site usernames, gender, location, and phone numbers for 172 million members.
Passwords were not included, which is why the adversary only demanded ¥1,799 ($250) for the Weibo data.
The hack occurred in 2014, but was not discovered until 2018, when internal security tools discovered a suspicious attempt to access Marriott's Starwood-branded internal guest booking information. Marriott International acquired Starwood Hotels in 2016, adding 11 brands to its first 19 hotels.
An investigation of internal security alerts revealed that the Starwood network had been compromised in 2014 before the acquisition. In 2018, Starwood did not migrate to Marriott's booking system, and the Starwood brand continued to use legacy IT infrastructure, increasing the scope and scale of data breaches.
MyFitnessPal is a fitness monitoring software that was founded in 2005 and purchased by Under Armor for $475 million in 2015. Under Armor notified customers on March 25, 2018, that a MyFitnessPal data breach had occurred, affecting 150 million accounts. Under Armor notified the authorities and customers right away. Experts in cyber security have safeguarded the app and are constantly watching it for any strange or suspicious activities. Every user was also prompted to change their password. Although there are no certain answers as to why the MyFitnessPal breach occurred, experts believe it was caused by a security flaw in the MyFitnessPal server and the activities of an employee.
In March 2021, Hafnium, a Chinese cyber espionage group, launched an attack on Microsoft. Over 30,000 organizations across the United States, including local governments, federal agencies, and businesses, were affected by the attack. The attack was not specifically targeted at Microsoft, but according to a letter to Microsoft's customers, the group "targeted primarily US companies with the goal of extracting information from various industry sectors. Microsoft later stated that a vulnerability was detected, and Microsoft released a patch in 2020, but many users did not update their systems.
Twitch, an Amazon-owned streaming service, had crucial data hacked by an unknown threat actor. Twitch's source code, streamers' earnings data, and other information were leaked, although it does not appear that users' login passwords or credit card information were hacked.
The most recent data breach affecting Amazon occurred in October 2020, when a dissatisfied Amazon employee for the second time that year disclosed customer data to a third party. Over the years, Amazon Cloud services such as AWS also have experienced multiple data breaches.
Adobe suffered a cyber-attack in October 2013, in which cyber criminals obtained credit card information from approximately 3 million users. Up to 150 million users' login credentials, including usernames and hashed passwords, were also stolen in the hack. Further investigation revealed that the cyber criminals had also taken customer names, identity information, passwords, and other debit and credit card information.
It also paid customers a cash settlement of $1 million for unfair business practices and violations of the Customer Records Act. In addition, one year following the final settlement date, Adobe must deploy security measures and disclose the results of an independent security audit.
Unfortunately, the increasing volume of data will likely also continue driving high profile hacks and breaches. In fact, as long as cyber criminals can monetize data stolen from compromised companies or individuals, security breaches will never stop happening.
Every industry and government owns large amounts of valuable personal data, which is a strong incentive for increasingly sophisticated attacks against the enterprises tasked with securing this data.