See Cynet’s Autonomous
Breach Protection in Action

Prefer a one-on-one demo? Click here

Data Breach

Last Update: November 2020

Main topics in this article:

Data breaches are confirmed incidents that may lead to unauthorized access or disclosure of sensitive, confidential or other protected data.

Data breaches typically affect personally identifiable health information (PHI), personally identifiable information (PII), intellectual property, financial data like credit card or bank account numbers, personal data like social security numbers or user credentials, or commercially sensitive data like customer lists or manufacturing processes.

If any of these types of data, or similarly sensitive data, is exposed to unauthorized parties, this represents a data breach. Data breaches can damage an organization’s reputation, may result in non-compliance with regulations or industry standards, and the organization can face fines or lawsuits in connection with the data it lost.

In this article, you will learn about:

10 Biggest Data Breaches

There are many ways of measuring the magnitude of a data breach, including the number of records lost and the financial damages caused. Below are ten data breaches that were indisputably among the biggest in history.

Adobe Data Breach

As security blogger Brian Krebs reported in 2013, Adobe disclosed that hackers compromised encrypted customer credit card records and credentials for approx. 3 million user accounts. Later Adobe corrected this estimate and said that 38 million active users were compromised. However, Krebs discovered that in reality 150 million usernames and passwords were breached, along with customer ID numbers and credit card numbers.

Aadhaar Data Breach

In 2018, a biometric database called Aadhaar, containing personal data belonging to more than 1 billion Indians, was made available for sale on the dark web. The data breach happened due to a data leak in a utility company owned by the Indian government. Attackers obtained personal information about almost all Indian citizens, including ID numbers, photographs, bank details, retina scans and fingerprints.

Canva Data Breach
In 2019, an Australian graphic design service named Canva was attacked, leaking salted and hashed passwords, email addresses, usernames, locations of 137 million users of the service, of which 61 million created a password on Canva and did not use social sign in. The company claimed hackers were not able to steal credit card data, but did view some files with partial payment data.

eBay Data Breach

In 2014, an attack on eBay revealed a complete list of accounts, including names, dates of birth, addresses, and encrypted passwords of 145 million users. According to the company’s statement, the breach was achieved by attackers who obtained the credentials of three office workers, gained access to the network and were only discovered after 229 days.

Equifax Data Breach

In 2017, Equifax, a large credit institution in the United States, stated that a vulnerable open source component on its website caused a data breach, putting approximately 148 million consumers at risk. The breach occurred in May, 2017, but was discovered only in late July. Attackers stole social security numbers, personal addresses, and some driver’s license numbers of 148 million US citizens, and credit card information of 200,000 citizens.

Yahoo Data Breach

In 2013, a successful attack on Yahoo became the largest data breach in history. 3 billion user accounts were affected, but it took Yahoo as long as three years to discover the attack. It publicized the breach in late 2016, and asked all affected users to reset passwords and security challenges. The breach resulted in an immediate drop of 3% in Yahoo’s stock price, representing a loss of $350 million for investors.

Facebook Data Breach

In 2018, Facebook announced that it had stored millions of Instagram passwords in plain text format, exposed to the Internet. In 2019, another data breach discovered by TechCrunch exposed 400 million phone numbers linked to Facebook accounts. In addition to the phone numbers, attackers obtained the name, location and gender of the users.

Marriott Data Breach

In 2018, Marriott International announced that hackers stole the data of approximately 500 million customers of its Starwood hotel brand. The breach happened in 2014, when Marriott acquired Starwood, but was only discovered in 2018.

Attackers stole data including names, contact details, travel information and passport numbers. The company said that credit card numbers or other financial information was exposed for 100 million customers, but that attackers may have been unable to make use of the data, which was strongly encrypted.

Twitter Data Breach

In 2018, Twitter employees mistakenly stored a list of passwords in an internal log, making all 330 million passwords of Twitter users available on Twitter’s local network. The company claimed that no breach occurred and the issue was fixed, however the file was exposed internally for several months. Twitter requested all 330 million users to change their passwords, as a precautionary measure.

MySpace Data Breach

In 2013, a Russian hacker gained access to data for 360 million MySpace accounts. The breach was only discovered in 2016. The leaked information included name, username, passwords and dates of birth. Between 2013-16, attackers in control of this data were able to access hundreds of millions of MySpace accounts and view private data. After the breach was discovered, MySpace revoked passwords for any accounts created before 2013.

Data Breach Statistics

Here are a few important statistics about the global state of data breaches. All the statistics refer to organizations in the USA in the year 2019.

Average Number of Records Breached25,575
Average Time to Detect a Breach in Days279
Average Time to Eradicate a Breach in Days73
Average Number of Records Lost Per Day780,000
Total Breaches Per Annum1,473
Share of Breaches with Accidental Causes49%

Sources:

7 Causes of Data Breaches

According to a model developed by the Identity Theft Resource Center (ITRC), there are seven main sources of data breaches.

  1. Accidental Internet exposure – confidential data is inadvertently stored in a location publicly accessible via the Internet. For example, improper use of unsecured Amazon S3 buckets to store sensitive data.
  2. Unsecure data transfer – it is challenging to protect data in transit. Companies do not have control over all the ways employees retrieve and share data, and in some cases, this may be done using unsecure protocols.
  3. Error, negligence or accidental deletion – improper or improper implementation of data security policies may lead to accidental data loss or unintentional exposure.
  4. Hacking/intrusion – data breaches caused by hackers or other malicious third parties. This includes common cyber threats like phishing, malware, data exfiltration, and ransomware.
  5. Internal threats – employees or other authorized parties who abuse their permissions to steal or destroy data, or insider user accounts compromised without their knowledge and used by malicious actors.
  6. Physical theft – mobile devices, laptops, and removable storage devices may store sensitive or valuable data. When these devices are brought to public places, they can be easily lost or stolen.
  7. Unauthorized access – poorly designed or improperly implemented access control may allow malicious actors access to corporate data.

The 2020 DBIR Report from Verizon sheds light into how frequent is each type of breach and how commonly different threat actors are involved.

Anatomy of a Data Breach: The Cyber Kill Chain

The Cyber Kill Chain (CKC) is a cyber security model developed by Lockheed Martin’s Computer Security Incident Response Team (CSIRT). The purpose of this model is to better understand the steps taken by an attacker during a data breach, allowing the security team to stop the attack at each stage.

StageDescriptionExample Attacks
1. ReconnaissanceAttackers gather information about the infrastructure of the target organization.Port scanning, social media monitoring, shadowing
2. IntrusionAttackers make attempts to penetrate the security perimeter.VPN attack, spear phishing, supply chain compromise
3. ExploitationAttackers seek vulnerabilities or security gaps they can exploit while inside the network.PowerShell attack, scripting attack, Dynamic Data Exchange.
4. Privilege EscalationAttackers attempt to gain additional privileges to extend their reach to more systems or user accounts.Access Token Manipulation, path interception, Sudo attack
5. Lateral MovementAttackers “move laterally” by taking overmore accounts, connecting to more systems, on their way to the most valuable assets.SSH hijacking, internal spear phishing, Windows remote management
6. ObfuscationAttackers cover their tracks by tampering with security systems, deleting or modifying logs, changing timestamps, etc.Binary padding, code signing, file deletion, hidden users
7. Denial of ServiceAttackers disrupt an organization’s critical systems, with the goal of getting the attention of security and operations, and creating a distraction.Endpoint DoS, network DoS, service stop, system shutdown
8. ExfiltrationAn attacker finally obtains the organization’s most sensitive data. Attackers will find a discrete way, such as DNS tunnelling, to copy the data outside the organization without being detected.Data compressed, data encrypted, exfiltration over alternative protocol, scheduled transfer

Learn more in the detailed guide to the cyber kill chain

Learn more about stages of the kill chain in our detailed guides to:

Types of Cyber Security Threats

To better understand how data breaches occur, it is important to be familiar with the common cybersecurity threats facing organizations today.

Common cyber threats that result in data breaches include:

Learn about these threats in more detail in the detailed guide to cyber security threats

Social Engineering Attacks

The working principle of social engineering attacks is to psychologically manipulate users, causing them to disclose confidential information to take action beneficial to the attackers, such as clicking on unsafe links or installing malware.

Common types of social engineering attacks include:

  • Phishing – attackers send malicious emails or messages that appear to come from legitimate sources. In these messages, the attackers ask the user to provide sensitive information, download an attachment infected with malware, or click a link to a malicious website.
  • Spear phishing – a type of phishing where the attacker targets people with special privileges or influential roles, such as finance staff or senior executives.
  • Homograph attacks – attackers create a fake website URL that looks very similar to the legitimate website address. Users are tricked into visiting the fake website, and provide their credentials or other sensitive information.

Learn more in the detailed guides to:

Advanced Persistent Threats (APT)

An APT is a long-term attack campaign carried out by an individual or group, aimed at gaining unauthorized access to the network of a specific organization. Attackers may remain in the network for a long time; during this period, they use advanced techniques to evade detection, and in the meantime, exfiltrate sensitive data.

APTs require a high level of expertise, coordination, organization and effort from attackers. Therefore, APTs are typically launched against valuable targets such as governments, institutions, or large organizations.

Learn more in our detailed guide to APT attacks

Network Attacks

A network attack is aimed at gaining unauthorized access to a company’s network, to steal data or perform other malicious activities. There are two main types of network attacks:

  • Passive attacks – attackers monitor or steal confidential information by accessing the network, without destroying or changing data.
  • Active attacks – attackers not only gain unauthorized access, but also cause damage by deleting, encrypting or destroying data.

Network attacks are an umbrella term for many types of cyber attacks:

  • Unauthorized access an attacker gains unauthorized access to the network.
  • Distributed Denial of Service (DDoS) attacks – attackers create botnets by compromising a large number of vulnerable devices, and use them to send massive fake traffic to networks or servers.
  • Man in the middle (MiTM) attacks – attackers steal data or credentials by intercepting traffic on a corporate network, or inbound/outbound Internet traffic.
  • Code and SQL injection attacks – attackers fill out forms or make API calls, and instead of valid responses, send malicious code which is then executed on the server.
  • Privilege escalation – an attacker who has already penetrated the network can elevate privileges, either access other adjacent systems or gain higher privileges on the same systems.
  • Insider threats – malicious insiders who already have privileged access to organizational systems abuse it to attack the organization (see the following section).

Learn more about all these threats in our detailed guide to network attacks

Ransomware

Ransomware has become a major threat for organizations of all types, from small business to large enterprises, institutions and governments. Ransomware is malware that infects a machine, encrypts its data, and displays a notice asking the victim to pay a ransom to unlock their data. In many cases, payment is ineffective, and the ransomware destroys the data in any case.

Once a ransomware attack has occurred, it is very difficult to recover, and so the primary way to protect an organization is prevention. A ransomware prevention program includes four steps:

  1. Protecting the network using access control, application whitelisting and behavioral analytics
  2. Protecting endpoints using endpoint protection, EDR and XDR solutions
  3. Backing up data and ensuring backups are stored safely so they don’t themselves become infected (see ransomware data protection  below).
  4. Educate employees to make sure they follow best practices about social engineering and ransomware

Learn more in our detailed guides about:

Insider Threats

An insider threat is a malicious act directed at an organization, executed by the staff of the organization or other people the organization has willfully granted access to its systems. The threat actor (usually an employee or contractor) is a person who has existing access to the company’s network, databases, applications, or other IT systems.

Types of insider threats:

  •  Careless insider—a person who accidentally, unintentionally, or negligently causes security breaches, exposing systems or networks to external threats. This is the most common insider threat.
  • Malicious insider—a person who abuses access rights and credentials to perform malicious actions. This abuse usually takes the form of information theft in order to gain personal and economic benefits.
  • Compromised insider—a threat actor who compromises an existing user account and pretends to be a user with access rights to IT systems.

Learn more in the detailed guide to insider threats

Cloud Native Security Threats

Cloud native is a new paradigm that simplifies the development, testing, deployment and operations of cloud-based applications. A cloud native application is built from scratch for the cloud, rather than being migrated from a traditional data center to the cloud. “Cloud” in this context can mean a public cloud such as Amazon Web Services, a private cloud, a hybrid or multi cloud environment.

Cloud native applications are more difficult to secure than traditional applications, because of their dynamic nature and the large number of entities that comprise them.

Cloud native security threats include:

  • Lack of visibility – traditional security tools cannot visualize a containerized or serverless environment, allowing attackers to operate undetected
  • Large number of entities – instead of one monolithic server, an application may now be composed of dozens of microservices and thousands of containers or serverless functions, each of which is vulnerable to compromise.
  • Vulnerabilities in base images – many cloud native apps are based on Docker containers, which are generated from images. If these images suffer from a vulnerability, all containers created from the image will be vulnerable.
  • Serverless permissions – attackers can take advantage of glitches or configuration errors in a serverless platform’s permissions settings, to compromise serverless functions.
  • Open source components – cloud native applications are mainly based on open source components with complex dependencies. Any open source package or its dependencies might contain critical security vulnerabilities, or licensing issues that can create legal exposure.

Building Your Data Breach Response Plan

A data breach response plan (DBRP) outlines the steps a company should take to discover and address a data breach. It helps everyone in the organization understand their role in the event of a breach, and provides practical steps employees can take to mitigate the threat and minimize the damage caused to the organization.

These include security measures, as well as instructions and procedures employees must follow. The main steps in a data breach response plan are:

  • Identify a data breach incident—put in place security monitoring and alerting systems, and actively perform threat hunting, to detect data breaches as early as possible. Early detection can dramatically reduce damages.
  • Identify what was compromised—discover compromised IT systems, networks, or data. Identify exactly which assets were affected by the breach.
  • Recover affected systems—quarantine the infected systems, eradicate the threat and restore full functionality. Prioritize business critical systems. It is common to rebuild or re-image affected systems, isolating them from breached assets to prevent re-infection.
  • Evaluate the damage—assess the damage caused to systems and sensitive information exposed to attackers, and decide whether to notify affected users, customers, shareholders, compliance authorities, or others.
  • Find the root cause—after recovering from the attack, investigate what attackers did to penetrate your systems and how damages were caused.
  • Find the attacker and their motive—many breaches are caused by accidents or random attacks. But if an attack was carried out by an advanced persistent threat (APT) or a malicious insider, you must identify the threat actor to prevent additional attacks. In some cases, it may be necessary to collect forensic information and involve the authorities.
  • Determine business impact of the data breach—understand how the data breach will impact the business, both in terms of direct losses to productivity, fines or lawsuits, and in terms of indirect losses like damage to reputation.

What Is Data Protection?

Data protection, also known as data security, is the process of protecting the confidentiality, integrity, and availability of sensitive information owned by your organization.

Almost all organizations work with sensitive data, either belonging to the organization itself or to its customers. This raises the need for a data protection strategy that can prevent theft, damage, and loss to that data, and reduce damage in case of a data breach or disaster.

After critical business data is breached or accidentally lost, recovering it is urgent, and any delay can impact business continuity. A data protection strategy must take into account the ability to recover the data in a timely manner.

In addition, many industries have legal requirements or voluntary compliance standards governing how organizations store personal information, medical information, financial information, or other sensitive data. A data protection strategy must address the specific compliance requirements your organization is subject to. Learn more in The Compliance Aspect of Data Breaches  below.

Learn more in the detailed guide to data protection

Data Protection Technologies and Practices

There are many management and storage solutions available to protect your data. There are many data security measures that can limit access to data, monitor network activity, and respond to suspected or confirmed breaches.

The following are commonly used data protection technologies and practices:

  • Data backup—maintaining copies of organizational data on a regular basis. In most cases, all data is backed up and stored in a location that enables fast access and recovery.
  • Data Loss Prevention (DLP)—a technical solution that uses a variety of tools to identify and prevent data corruption, loss, or exfiltration, whether malicious or accidental.
  • Firewalls—monitor network traffic to detect and block malicious traffic.
  • Endpoint protection—software that monitors endpoint activity and helps security teams respond to breaches occurring on endpoints like servers, laptops or mobile devices.
  • Ransomware data recovery—solutions that enable secure backups that cannot be infected by ransomware, and can be used to recover from successful attacks.
  • Authentication and authorization—can be part of a larger Identity and Access Control (IAM) solution, and will typically include role-based access control (RBAC).
  • Encryption—uses cryptographic keys to make the data unusable to an attacker, unless they possess the private key. Data security solutions often use encryption as part of their data protection strategy.
  • Data disposal or obfuscation—strategies to remove sensitive data entirely, or obfuscate it by replacing it with other values or tokens, to reduce the risk of a data breach. This is a requirement of data privacy regulations like the GDPR.

What Is Data Backup?

A backup copies data from primary storage to secondary storage, to provide protection in the event of a disaster, disaster, or malicious activity. Data is crucial for modern businesses, and data loss can cause major damage. Therefore, backup is an essential process for businesses of all sizes.

Learn more in the detailed guide to data backup

What are RPO and RTO?

RPO and RTO are key concepts in backup management, disaster recovery and business continuity.

Recovery Point Objective (RPO) is the amount of data a company can lose in the event of a disaster, and is determined by the frequency of backups. If the system is backed up once a day, the RPO is 24 hours. The lower the RPO, the more network, computer, and storage resources are needed for frequent backups.

RTO (Recovery Time Objective) is the time needed to restore data or systems from a backup and resume normal operation. If you store or back up large amounts of data in remote locations, copying the data and restoring the system can take a long time. There are technical solutions, such as high performance connectivity to backup locations and fast synchronization, which can shorten RTO.

What is Cloud Backup?

Cloud backup (also known as online backup) lets you send a copy of your data to a cloud server, over a public or secure private network. Cloud backup services are typically offered by third-party providers. Cloud backups are an excellent way to enable offsite backups that can minimize data loss. You can access your data from multiple access points and share your data among multiple cloud users.

Organizations are typically charged for cloud backup on a pay-per-use basis, according to the number of users, the amount of data stored, the duration of storage, the amount of data transferred to and from cloud storage, and the frequency at which data can be accessed (hot, warm or cold data tiers).

In the following sections we describe enterprise cloud backup solutions provided by the big three cloud providers: AWS, Azure, and Google Cloud.

Learn more in the detailed guide to backup cloud storage

AWS Backup

Amazon Web Services (AWS) offers AWS Backup, a managed service you can use to back up both local data, and data stored in the Amazon cloud, to storage services including:

  • Amazon Elastic File System (EFS)
  • Amazon DynamoDB
  • Amazon Relational Database Service (RDS)
  • Amazon Elastic Block Storage (EBS)

AWS Backup is a central management interface that integrates these technologies, making it easy to organize and schedule backups in one place. Amazon also provides the AWS Storage Gateway, which lets you integrate local storage and backup solutions with Amazon services.

Learn more in the detailed guide to AWS backup

Azure Backup

Azure Backup is a cloud-based backup solution that is part of the Azure Recovery Services Vault. Azure Backup can be used to backup local data or cloud-based systems. Azure Backup provides consistent backup with security controls and management through the Azure portal.

Azure Backup can take point-in-time backups of the following data sources, including files, folders, system state, and SQL databases:

  • Azure VMs
  • Azure SQL Database
  • SAP HANA in Azure
  • VMware VMs
  • Hyper-V VMs

Learn more in the detailed guide to Azure backup

Google Cloud Backup

Google Cloud does not provide an integrated backup solution like AWS and Azure. It supports backup as part of the Google Cloud Storage service. Google Cloud Storage has three storage classes you can use to back up local or cloud-based systems:

  • Standard – intended for frequently accessed data
  • Nearline – intended for data accessed no more than once per month
  • Coldline – intended for data accessed no more than once per year

Each tier offers progressively lower pricing per GB. Typically, regular backups are stored on the nearline tier, and long-term archives on coldline storage.

Learn more in the detailed guide to Google Cloud backup

What Is DLP?

Data Loss Prevention (DLP) refers to the strategies and tools used to prevent data loss or loss across an organization. DLP solutions have an endpoint management component, which defines who can access data on an endpoint, what can be accessed, and specifies how data should be secured in transit. They can also protect data at rest and data in transit.

A DLP solution lets you adapt data protection to the level of importance and sensitivity of different classes of data. DLP solutions cover four main areas:

  • Network based—analyzes and protects data being transmitted through the network.
  • Storage based—protects stored data by assessing the security of sensitive data storage locations (such as file servers and databases).
  • Endpoint based—monitors data transfers originating from an endpoint, such as saving files to remote storage, sharing files through email or social media, printing, etc.
  • Content-aware—monitors, blocks, or applies security policies based on content type, metadata, or certain information found in the content.

Learn more in the detailed guide to DLP

What Is Endpoint Security?

Endpoint security solutions combine two layers of security:

  • A central platform that provides visibility and control over endpoints across the organization
  • An agent deployed on endpoints, which sends data for analysis and can perform actions on the endpoint, such as security scans

Here the main features provided by endpoint protection platforms (EPP):

  • Endpoint monitoring—detects abnormal behavior, and prioritizes alerts to help analysts identify real security incidents.
  • Advanced threat detection—can identify complex or unknown threats like fileless attacks and zero day malware.
  • Malware sandbox—sends suspected malware to a safe sandbox environment and “detonates” them to analyze their severity.
  • Integration with SIEM and threat intelligence—can combine endpoint alert data with threat feeds or other security event data.
  • Vulnerability shielding—applies virtual patches to endpoints to prevent known vulnerabilities, without requiring an update on the device.
  • Deception technology—setting up “honeypots” that appear as valuable targets for attackers, and can record attacker actions and techniques.
  • Response and remediation—most EPP solutions come with endpoint detection and response (EDR) technology, described in the following section.

Learn more in our detailed guides to:

Endpoint Detection and Response (EDR)

Endpoint Discovery and Response (EDR) was identified by Gartner as a new category of security tools in 2013. EDR solutions detect attacks on endpoint devices, and allow security teams to quickly access information from the endpoint to investigate the attack. Without EDR technology, security personnel have very little visibility into threats or malicious activity on remote endpoints.

In addition to providing access to information, an important feature of EDR is that security personnel can respond to attacks, by isolating endpoints, blocking malicious processes, or initiating automatic responses based on security playbooks.

EDR solutions consist of three main components:

  • Data collection – an agent deployed on the endpoint collects data about process execution, network communication, and user activity.
  • Detection engine – analyzes endpoint activity, detects and reports anomalies.
  • Data analysis engine – integrates endpoint data with threat intelligence and provides real-time analysis of security events.

Learn more in our detailed guides to:

eXtended Detection and Response (XDR)

XDR is the next generation of endpoint protection solutions. It is a technology that automatically collects information from multiple layers of security, and correlates it to quickly identify threats.

XDR tracks threats from many different sources in your organization, providing a comprehensive detection and response strategy across endpoints, servers, email systems, cloud environments, and application workloads.

XDR solves the problem of attacks that hide between security silos in your organization, and can be missed due to lack of integration between separate security tools. An XDR solution aims to connect separate security datasets, providing a unified attack story across the entire IT environment. This provides an additional benefit – improving productivity of security teams, because attacks can be investigated and remediated using one central platform.

Learn more in our detailed guides to:

Securing Endpoint and Networks with UBA

User behavior analytics (UBA), which later evolved into User and Entity Behavior Analytics (UEBA), is a security solution that profiles the day-to-day behavior of user accounts or entities like servers, applications or networks.

UBA/UEBA uses anomaly detection, based on machine learning techniques, to compare current behavior with the normal behavior of the specific entity and its peers (for example, other users in the same department). When it detects abnormal activity, it alerts security teams to the suspicious behavior.

An important part of modern UEBA systems is the use of thresholds to determine when to treat anomalies as a security threat. For example, if a user always starts at 8am, and then one day logs in at 7am, this is rare, but not unusual enough for investigation. UEBA tools measure the degree of anomaly by calculating a risk score. For example, a log in event at 4 or 5 am, combined with other anomalous characteristics (location, equipment used, other activities, etc.) may increase the risk to a level sufficient to raise an alert.

To learn more see the detailed guide about user behavior analytics (UBA/UEBA)

Ransomware Data Recovery

Backup is a critical defense against ransomware attacks. However, several steps need to be taken to prevent backups themselves from being attacked and encrypted by ransomware software.

To protect your backups from ransomware, follow these guidelines:

  • Keep backups offline – in a ransomware attack malware can attack anything that an infected system can access. As long as backups are connected to the network, they can be infected via an indirect path from infected endpoints to the backup server.
  • Use immutable storage – immutable object storage, also known as write once read many (WORM) can store and lock data in blocks to avoid changes. Many disk backup systems monitor changes to blocks on the disk to prevent files from being modified.
  • Use endpoint protection, especially on backup servers – endpoint protection platforms like EDR and XDR can detect ransomware-related processes on a device as soon as they start operating, even if the ransomware type is new and unknown to security researchers. These solutions can stop the ransomware process and isolate the infected device.
  • Increase backup frequency – backup frequency determines your recovery point objective (RPO), which is the maximal amount of data a ransomware attack can destroy. Important data should be backed up at least once an hour to reduce the damage of a potential attack.

Learn more in the in-depth guide to ransomware data recovery

The Compliance Aspect of Data Breaches: Data Privacy Regulations

Data breaches are not only damaging for an organization, but may place it in violation of regulations or industry standards. This may result in fines and other negative consequences. Below is a brief review of regulations that affect an organization’s data breach strategy.

Learn more about regulations around the world in the in-depth guide to data privacy regulations

U.S. Federal Privacy Regulations

The United States has not have a comprehensive federal data protection regulation. For example, the Federal Trade Commission Act (FTCA) does not specify what to include in a website’s privacy policy, but warns against “deceptive practices” and in general requires sufficient security for private data.

Other federal laws that apply to the collection of information online

  • Children’s Online Privacy Protection Act – applies to information about minors
  • Gramm Leach Bliley Act (GLBA) – regulates personal data collected by banks and financial institutions
  • Health Insurance Portability And Accountability Act (HIPAA) – applies to the collection of protected health information (PHI)

To learn more about protecting health data to comply with HIPAA, see the in-depth guide to health data management

HIPAA Breach Notifications

The HIPAA Breach Notification Rule requires companies to disclose security breaches. It applies both to Covered Entities (healthcare organizations, medical providers and practitioners), and Business Associates (who provide services to Covered Entities).

The HIPAA Breach Notification Rule may require organizations to notify individuals whose data was affected by the breach, the USA Office for Civil Rights (HHS/OCR), and/or the media. Violation of the rule can result in fines of up to $1.5 million per year, calculated per violation, or per PHI record exposed in the breach.

Learn more in our in-depth guide to HIPAA breach notifications

California Consumer Privacy Act (CCPA)

A significant regulation at the state level is the CCPA, the most comprehensive data protection law in the United States, which came into force in January 2020. CCPA places certain obligations on companies who collect or store information about California citizens. These include notifying the data subject when and how their data was collected, and giving them the ability to access and delete that information.

CCPA Data Breach Provisions

The CCPA gives California citizens the right to request statutory damage if their information was exposed in a data breach. This applies only to data breaches that meet three criteria:

  1. The data affected by the breach is “personal information” as defined by the California Data Breach Notification Law
  2. The data exposed was not encrypted or redacted
  3. The breach was a result of the failure of the organization to maintain reasonable security controls

Learn more in the in-depth guide to the California Consumer Privacy Act

European Regulations: GDPR

The EU General Data Protection Regulation (GDPR) regulates the collection, use, transmission, and security of data collected from residents of 27 European Union countries. It applies to any business that works with European citizens, regardless of where the company is based. Organizations that violate the GDPR can be fined up to 20 million Euro or 4% of global revenue.

GDPR Data Breach Notifications

What is the official GDPR definition for data breaches?

The GDPR requires organizations to notify relevant parties if they are breached. According to the Quick Guide to Breach Notifications, a breach that requires notification is an incident that:

  • Leads to accidental or malicious destruction, loss, modification, unauthorized disclosure, or encryption of personal data. “Personal data” means any information about an individual who is identified or may be identified based on the data.
  • Affects the confidentiality, integrity, or availability of the personal data.

72 hour deadline and possible fines

According to Article 33 of the GDPR, organizations need to report security breaches as defined above within 72 hours of detection of the breach. Breaches are reported to a Data Protection Authority (DPA), and in some cases, also need to be reported to individuals who were affected or to the press.

Failure to notify about a breach can result in a fine of up to 10 million Euro or 2% of global revenue. However, European authorities emphasize that fines are a last resort and will only be imposed on those who repeatedly and seriously violate the regulation.

Learn more in our in-depth guide to GDPR data breaches

Autonomous Data Breach Protection with Cynet

Cynet 360 is an autonomous breach protection platform that works in three levels, providing XDR, Response Automation, and 24/7 MDR in one unified solution. Cynet natively integrates these three services into an end to end, fully-automated breach protection platform.

Breach protection with Cynet incident response services:

CyOps, Cynet’s Cyber SWAT team, is on call 24/7/365, allowing enterprises of all sizes to get access to the same expert security staff that protect the largest enterprises. Here’s what you can expect from the CyOps incident response team:

  • Alert monitoring—continuous management of incoming alerts: classify, prioritize and contact the customer upon validation of active threat.
  • 24/7 availability—ongoing operations at all times, both proactively and on-demand per the customer’s specific needs.
  • On-demand file analysis—customers can send suspicious files to analysis directly from the Cynet 360 console and get an immediate verdict.
  • One click away—CISOs can engage CyOps with a single click on the Cynet Dashboard App upon suspicion of an active breach.
  • Remediation instructions—conclusion of investigated attacks entails concrete guidance to the customers on which endpoints, files, user and network traffic should be remediated.
  • Exclusions, whitelisting, and tuning—adjusting Cynet 360 alerting mechanisms to the customers’ IT environment to reduce false positives and increase accuracy.
  • Threat hunting—proactive search for hidden threats leveraging Cynet 360 investigation tools and over 30 threat intelligence feeds.
  • Attack investigation—deep-dive into validated attack bits and bytes to gain the full understanding of scope and impact, providing the customer with updated IoCs.

Learn how the Cynet Autonomous Breach Protection platform and the CyOps 24/7 incident response team can help you.

Cynet 360 provides cutting edge EDR capabilities:

  •  Advanced endpoint threat detection—full visibility and predicts how an attacker might operate, based on continuous monitoring of endpoints and behavioral analysis.
  • Investigation and validation—search and review historic or current incident data on endpoints, investigate threats, and validate alerts. This allows you to confirm the threat before responding to it, reducing dwell-time and performing faster remediation.
  • Rapid deployment and response—deploy across thousands of endpoints within two hours. You can then use it to perform automatic or manual remediation of threats on the endpoints, disrupt malicious activity and minimize damage caused by attacks.

Learn more about our EDR security capabilities.

Cynet 360 provides the following XDR capabilities:

  • Endpoint protection—multilayered protection against malware, ransomware, exploits and fileless attacks.
  • Network protection—protecting against scanning attacks, MITM, lateral movement and data exfiltration.
  • User protection—preset behavior rules coupled with dynamic behavior profiling to detect malicious anomalies.
  • Deception—wide array of network, user, file decoys to lure advanced attackers into revealing their hidden presence.

Cynet 360 can be deployed across thousands of endpoints in less than two hours. It can be immediately used to uncover advanced threats and then perform automatic or manual remediation, disrupt malicious activity and minimize damage caused by attacks.

Get a free trial of Cynet 360 and experience the world’s only integrated XDR, SOAR and MDR solution.

See Additional Guides on Key Data Security Topics

Cynet, together with several partner websites, has authored a large repository of content that can help you learn about many aspects of data breaches and data security. Check out the articles below for objective, concise reviews of key data security topics

10 Biggest Data Breaches

There are many ways of measuring the magnitude of a data breach, including the number of records lost and the financial damages caused. Below are ten data breaches that were indisputably among the biggest in history.

Adobe Data Breach

As security blogger Brian Krebs reported in 2013, Adobe disclosed that hackers compromised encrypted customer credit card records and credentials for approx. 3 million user accounts. Later Adobe corrected this estimate and said that 38 million active users were compromised. However, Krebs discovered that in reality 150 million usernames and passwords were breached, along with customer ID numbers and credit card numbers.

Aadhaar Data Breach

In 2018, a biometric database called Aadhaar, containing personal data belonging to more than 1 billion Indians, was made available for sale on the dark web. The data breach happened due to a data leak in a utility company owned by the Indian government. Attackers obtained personal information about almost all Indian citizens, including ID numbers, photographs, bank details, retina scans and fingerprints.

Canva Data Breach
In 2019, an Australian graphic design service named Canva was attacked, leaking salted and hashed passwords, email addresses, usernames, locations of 137 million users of the service, of which 61 million created a password on Canva and did not use social sign in. The company claimed hackers were not able to steal credit card data, but did view some files with partial payment data.

eBay Data Breach

In 2014, an attack on eBay revealed a complete list of accounts, including names, dates of birth, addresses, and encrypted passwords of 145 million users. According to the company’s statement, the breach was achieved by attackers who obtained the credentials of three office workers, gained access to the network and were only discovered after 229 days.

Equifax Data Breach

In 2017, Equifax, a large credit institution in the United States, stated that a vulnerable open source component on its website caused a data breach, putting approximately 148 million consumers at risk. The breach occurred in May, 2017, but was discovered only in late July. Attackers stole social security numbers, personal addresses, and some driver’s license numbers of 148 million US citizens, and credit card information of 200,000 citizens.

Yahoo Data Breach

In 2013, a successful attack on Yahoo became the largest data breach in history. 3 billion user accounts were affected, but it took Yahoo as long as three years to discover the attack. It publicized the breach in late 2016, and asked all affected users to reset passwords and security challenges. The breach resulted in an immediate drop of 3% in Yahoo’s stock price, representing a loss of $350 million for investors.

Facebook Data Breach

In 2018, Facebook announced that it had stored millions of Instagram passwords in plain text format, exposed to the Internet. In 2019, another data breach discovered by TechCrunch exposed 400 million phone numbers linked to Facebook accounts. In addition to the phone numbers, attackers obtained the name, location and gender of the users.

Marriott Data Breach

In 2018, Marriott International announced that hackers stole the data of approximately 500 million customers of its Starwood hotel brand. The breach happened in 2014, when Marriott acquired Starwood, but was only discovered in 2018.

Attackers stole data including names, contact details, travel information and passport numbers. The company said that credit card numbers or other financial information was exposed for 100 million customers, but that attackers may have been unable to make use of the data, which was strongly encrypted.

Twitter Data Breach

In 2018, Twitter employees mistakenly stored a list of passwords in an internal log, making all 330 million passwords of Twitter users available on Twitter’s local network. The company claimed that no breach occurred and the issue was fixed, however the file was exposed internally for several months. Twitter requested all 330 million users to change their passwords, as a precautionary measure.

MySpace Data Breach

In 2013, a Russian hacker gained access to data for 360 million MySpace accounts. The breach was only discovered in 2016. The leaked information included name, username, passwords and dates of birth. Between 2013-16, attackers in control of this data were able to access hundreds of millions of MySpace accounts and view private data. After the breach was discovered, MySpace revoked passwords for any accounts created before 2013.

Data Breach Statistics

Here are a few important statistics about the global state of data breaches. All the statistics refer to organizations in the USA in the year 2019.

Average Number of Records Breached25,575
Average Time to Detect a Breach in Days279
Average Time to Eradicate a Breach in Days73
Average Number of Records Lost Per Day780,000
Total Breaches Per Annum1,473
Share of Breaches with Accidental Causes49%

Sources:

7 Causes of Data Breaches

According to a model developed by the Identity Theft Resource Center (ITRC), there are seven main sources of data breaches.

  1. Accidental Internet exposure – confidential data is inadvertently stored in a location publicly accessible via the Internet. For example, improper use of unsecured Amazon S3 buckets to store sensitive data.
  2. Unsecure data transfer – it is challenging to protect data in transit. Companies do not have control over all the ways employees retrieve and share data, and in some cases, this may be done using unsecure protocols.
  3. Error, negligence or accidental deletion – improper or improper implementation of data security policies may lead to accidental data loss or unintentional exposure.
  4. Hacking/intrusion – data breaches caused by hackers or other malicious third parties. This includes common cyber threats like phishing, malware, data exfiltration, and ransomware.
  5. Internal threats – employees or other authorized parties who abuse their permissions to steal or destroy data, or insider user accounts compromised without their knowledge and used by malicious actors.
  6. Physical theft – mobile devices, laptops, and removable storage devices may store sensitive or valuable data. When these devices are brought to public places, they can be easily lost or stolen.
  7. Unauthorized access – poorly designed or improperly implemented access control may allow malicious actors access to corporate data.

The 2020 DBIR Report from Verizon sheds light into how frequent is each type of breach and how commonly different threat actors are involved.

Anatomy of a Data Breach: The Cyber Kill Chain

The Cyber Kill Chain (CKC) is a cyber security model developed by Lockheed Martin’s Computer Security Incident Response Team (CSIRT). The purpose of this model is to better understand the steps taken by an attacker during a data breach, allowing the security team to stop the attack at each stage.

StageDescriptionExample Attacks
1. ReconnaissanceAttackers gather information about the infrastructure of the target organization.Port scanning, social media monitoring, shadowing
2. IntrusionAttackers make attempts to penetrate the security perimeter.VPN attack, spear phishing, supply chain compromise
3. ExploitationAttackers seek vulnerabilities or security gaps they can exploit while inside the network.PowerShell attack, scripting attack, Dynamic Data Exchange.
4. Privilege EscalationAttackers attempt to gain additional privileges to extend their reach to more systems or user accounts.Access Token Manipulation, path interception, Sudo attack
5. Lateral MovementAttackers “move laterally” by taking overmore accounts, connecting to more systems, on their way to the most valuable assets.SSH hijacking, internal spear phishing, Windows remote management
6. ObfuscationAttackers cover their tracks by tampering with security systems, deleting or modifying logs, changing timestamps, etc.Binary padding, code signing, file deletion, hidden users
7. Denial of ServiceAttackers disrupt an organization’s critical systems, with the goal of getting the attention of security and operations, and creating a distraction.Endpoint DoS, network DoS, service stop, system shutdown
8. ExfiltrationAn attacker finally obtains the organization’s most sensitive data. Attackers will find a discrete way, such as DNS tunnelling, to copy the data outside the organization without being detected.Data compressed, data encrypted, exfiltration over alternative protocol, scheduled transfer

Learn more in the detailed guide to the cyber kill chain

Learn more about stages of the kill chain in our detailed guides to:

Types of Cyber Security Threats

To better understand how data breaches occur, it is important to be familiar with the common cybersecurity threats facing organizations today.

Common cyber threats that result in data breaches include:

Learn about these threats in more detail in the detailed guide to cyber security threats

Social Engineering Attacks

The working principle of social engineering attacks is to psychologically manipulate users, causing them to disclose confidential information to take action beneficial to the attackers, such as clicking on unsafe links or installing malware.

Common types of social engineering attacks include:

  • Phishing – attackers send malicious emails or messages that appear to come from legitimate sources. In these messages, the attackers ask the user to provide sensitive information, download an attachment infected with malware, or click a link to a malicious website.
  • Spear phishing – a type of phishing where the attacker targets people with special privileges or influential roles, such as finance staff or senior executives.
  • Homograph attacks – attackers create a fake website URL that looks very similar to the legitimate website address. Users are tricked into visiting the fake website, and provide their credentials or other sensitive information.

Learn more in the detailed guides to:

Advanced Persistent Threats (APT)

An APT is a long-term attack campaign carried out by an individual or group, aimed at gaining unauthorized access to the network of a specific organization. Attackers may remain in the network for a long time; during this period, they use advanced techniques to evade detection, and in the meantime, exfiltrate sensitive data.

APTs require a high level of expertise, coordination, organization and effort from attackers. Therefore, APTs are typically launched against valuable targets such as governments, institutions, or large organizations.

Learn more in our detailed guide to APT attacks

Network Attacks

A network attack is aimed at gaining unauthorized access to a company’s network, to steal data or perform other malicious activities. There are two main types of network attacks:

  • Passive attacks – attackers monitor or steal confidential information by accessing the network, without destroying or changing data.
  • Active attacks – attackers not only gain unauthorized access, but also cause damage by deleting, encrypting or destroying data.

Network attacks are an umbrella term for many types of cyber attacks:

  • Unauthorized access an attacker gains unauthorized access to the network.
  • Distributed Denial of Service (DDoS) attacks – attackers create botnets by compromising a large number of vulnerable devices, and use them to send massive fake traffic to networks or servers.
  • Man in the middle (MiTM) attacks – attackers steal data or credentials by intercepting traffic on a corporate network, or inbound/outbound Internet traffic.
  • Code and SQL injection attacks – attackers fill out forms or make API calls, and instead of valid responses, send malicious code which is then executed on the server.
  • Privilege escalation – an attacker who has already penetrated the network can elevate privileges, either access other adjacent systems or gain higher privileges on the same systems.
  • Insider threats – malicious insiders who already have privileged access to organizational systems abuse it to attack the organization (see the following section).

Learn more about all these threats in our detailed guide to network attacks

Ransomware

Ransomware has become a major threat for organizations of all types, from small business to large enterprises, institutions and governments. Ransomware is malware that infects a machine, encrypts its data, and displays a notice asking the victim to pay a ransom to unlock their data. In many cases, payment is ineffective, and the ransomware destroys the data in any case.

Once a ransomware attack has occurred, it is very difficult to recover, and so the primary way to protect an organization is prevention. A ransomware prevention program includes four steps:

  1. Protecting the network using access control, application whitelisting and behavioral analytics
  2. Protecting endpoints using endpoint protection, EDR and XDR solutions
  3. Backing up data and ensuring backups are stored safely so they don’t themselves become infected (see ransomware data protection  below).
  4. Educate employees to make sure they follow best practices about social engineering and ransomware

Learn more in our detailed guides about:

Insider Threats

An insider threat is a malicious act directed at an organization, executed by the staff of the organization or other people the organization has willfully granted access to its systems. The threat actor (usually an employee or contractor) is a person who has existing access to the company’s network, databases, applications, or other IT systems.

Types of insider threats:

  •  Careless insider—a person who accidentally, unintentionally, or negligently causes security breaches, exposing systems or networks to external threats. This is the most common insider threat.
  • Malicious insider—a person who abuses access rights and credentials to perform malicious actions. This abuse usually takes the form of information theft in order to gain personal and economic benefits.
  • Compromised insider—a threat actor who compromises an existing user account and pretends to be a user with access rights to IT systems.

Learn more in the detailed guide to insider threats

Cloud Native Security Threats

Cloud native is a new paradigm that simplifies the development, testing, deployment and operations of cloud-based applications. A cloud native application is built from scratch for the cloud, rather than being migrated from a traditional data center to the cloud. “Cloud” in this context can mean a public cloud such as Amazon Web Services, a private cloud, a hybrid or multi cloud environment.

Cloud native applications are more difficult to secure than traditional applications, because of their dynamic nature and the large number of entities that comprise them.

Cloud native security threats include:

  • Lack of visibility – traditional security tools cannot visualize a containerized or serverless environment, allowing attackers to operate undetected
  • Large number of entities – instead of one monolithic server, an application may now be composed of dozens of microservices and thousands of containers or serverless functions, each of which is vulnerable to compromise.
  • Vulnerabilities in base images – many cloud native apps are based on Docker containers, which are generated from images. If these images suffer from a vulnerability, all containers created from the image will be vulnerable.
  • Serverless permissions – attackers can take advantage of glitches or configuration errors in a serverless platform’s permissions settings, to compromise serverless functions.
  • Open source components – cloud native applications are mainly based on open source components with complex dependencies. Any open source package or its dependencies might contain critical security vulnerabilities, or licensing issues that can create legal exposure.

Building Your Data Breach Response Plan

A data breach response plan (DBRP) outlines the steps a company should take to discover and address a data breach. It helps everyone in the organization understand their role in the event of a breach, and provides practical steps employees can take to mitigate the threat and minimize the damage caused to the organization.

These include security measures, as well as instructions and procedures employees must follow. The main steps in a data breach response plan are:

  • Identify a data breach incident—put in place security monitoring and alerting systems, and actively perform threat hunting, to detect data breaches as early as possible. Early detection can dramatically reduce damages.
  • Identify what was compromised—discover compromised IT systems, networks, or data. Identify exactly which assets were affected by the breach.
  • Recover affected systems—quarantine the infected systems, eradicate the threat and restore full functionality. Prioritize business critical systems. It is common to rebuild or re-image affected systems, isolating them from breached assets to prevent re-infection.
  • Evaluate the damage—assess the damage caused to systems and sensitive information exposed to attackers, and decide whether to notify affected users, customers, shareholders, compliance authorities, or others.
  • Find the root cause—after recovering from the attack, investigate what attackers did to penetrate your systems and how damages were caused.
  • Find the attacker and their motive—many breaches are caused by accidents or random attacks. But if an attack was carried out by an advanced persistent threat (APT) or a malicious insider, you must identify the threat actor to prevent additional attacks. In some cases, it may be necessary to collect forensic information and involve the authorities.
  • Determine business impact of the data breach—understand how the data breach will impact the business, both in terms of direct losses to productivity, fines or lawsuits, and in terms of indirect losses like damage to reputation.

What Is Data Protection?

Data protection, also known as data security, is the process of protecting the confidentiality, integrity, and availability of sensitive information owned by your organization.

Almost all organizations work with sensitive data, either belonging to the organization itself or to its customers. This raises the need for a data protection strategy that can prevent theft, damage, and loss to that data, and reduce damage in case of a data breach or disaster.

After critical business data is breached or accidentally lost, recovering it is urgent, and any delay can impact business continuity. A data protection strategy must take into account the ability to recover the data in a timely manner.

In addition, many industries have legal requirements or voluntary compliance standards governing how organizations store personal information, medical information, financial information, or other sensitive data. A data protection strategy must address the specific compliance requirements your organization is subject to. Learn more in The Compliance Aspect of Data Breaches  below.

Learn more in the detailed guide to data protection

Data Protection Technologies and Practices

There are many management and storage solutions available to protect your data. There are many data security measures that can limit access to data, monitor network activity, and respond to suspected or confirmed breaches.

The following are commonly used data protection technologies and practices:

  • Data backup—maintaining copies of organizational data on a regular basis. In most cases, all data is backed up and stored in a location that enables fast access and recovery.
  • Data Loss Prevention (DLP)—a technical solution that uses a variety of tools to identify and prevent data corruption, loss, or exfiltration, whether malicious or accidental.
  • Firewalls—monitor network traffic to detect and block malicious traffic.
  • Endpoint protection—software that monitors endpoint activity and helps security teams respond to breaches occurring on endpoints like servers, laptops or mobile devices.
  • Ransomware data recovery—solutions that enable secure backups that cannot be infected by ransomware, and can be used to recover from successful attacks.
  • Authentication and authorization—can be part of a larger Identity and Access Control (IAM) solution, and will typically include role-based access control (RBAC).
  • Encryption—uses cryptographic keys to make the data unusable to an attacker, unless they possess the private key. Data security solutions often use encryption as part of their data protection strategy.
  • Data disposal or obfuscation—strategies to remove sensitive data entirely, or obfuscate it by replacing it with other values or tokens, to reduce the risk of a data breach. This is a requirement of data privacy regulations like the GDPR.

What Is Data Backup?

A backup copies data from primary storage to secondary storage, to provide protection in the event of a disaster, disaster, or malicious activity. Data is crucial for modern businesses, and data loss can cause major damage. Therefore, backup is an essential process for businesses of all sizes.

Learn more in the detailed guide to data backup

What are RPO and RTO?

RPO and RTO are key concepts in backup management, disaster recovery and business continuity.

Recovery Point Objective (RPO) is the amount of data a company can lose in the event of a disaster, and is determined by the frequency of backups. If the system is backed up once a day, the RPO is 24 hours. The lower the RPO, the more network, computer, and storage resources are needed for frequent backups.

RTO (Recovery Time Objective) is the time needed to restore data or systems from a backup and resume normal operation. If you store or back up large amounts of data in remote locations, copying the data and restoring the system can take a long time. There are technical solutions, such as high performance connectivity to backup locations and fast synchronization, which can shorten RTO.

What is Cloud Backup?

Cloud backup (also known as online backup) lets you send a copy of your data to a cloud server, over a public or secure private network. Cloud backup services are typically offered by third-party providers. Cloud backups are an excellent way to enable offsite backups that can minimize data loss. You can access your data from multiple access points and share your data among multiple cloud users.

Organizations are typically charged for cloud backup on a pay-per-use basis, according to the number of users, the amount of data stored, the duration of storage, the amount of data transferred to and from cloud storage, and the frequency at which data can be accessed (hot, warm or cold data tiers).

In the following sections we describe enterprise cloud backup solutions provided by the big three cloud providers: AWS, Azure, and Google Cloud.

Learn more in the detailed guide to backup cloud storage

AWS Backup

Amazon Web Services (AWS) offers AWS Backup, a managed service you can use to back up both local data, and data stored in the Amazon cloud, to storage services including:

  • Amazon Elastic File System (EFS)
  • Amazon DynamoDB
  • Amazon Relational Database Service (RDS)
  • Amazon Elastic Block Storage (EBS)

AWS Backup is a central management interface that integrates these technologies, making it easy to organize and schedule backups in one place. Amazon also provides the AWS Storage Gateway, which lets you integrate local storage and backup solutions with Amazon services.

Learn more in the detailed guide to AWS backup

Azure Backup

Azure Backup is a cloud-based backup solution that is part of the Azure Recovery Services Vault. Azure Backup can be used to backup local data or cloud-based systems. Azure Backup provides consistent backup with security controls and management through the Azure portal.

Azure Backup can take point-in-time backups of the following data sources, including files, folders, system state, and SQL databases:

  • Azure VMs
  • Azure SQL Database
  • SAP HANA in Azure
  • VMware VMs
  • Hyper-V VMs

Learn more in the detailed guide to Azure backup

Google Cloud Backup

Google Cloud does not provide an integrated backup solution like AWS and Azure. It supports backup as part of the Google Cloud Storage service. Google Cloud Storage has three storage classes you can use to back up local or cloud-based systems:

  • Standard – intended for frequently accessed data
  • Nearline – intended for data accessed no more than once per month
  • Coldline – intended for data accessed no more than once per year

Each tier offers progressively lower pricing per GB. Typically, regular backups are stored on the nearline tier, and long-term archives on coldline storage.

Learn more in the detailed guide to Google Cloud backup

What Is DLP?

Data Loss Prevention (DLP) refers to the strategies and tools used to prevent data loss or loss across an organization. DLP solutions have an endpoint management component, which defines who can access data on an endpoint, what can be accessed, and specifies how data should be secured in transit. They can also protect data at rest and data in transit.

A DLP solution lets you adapt data protection to the level of importance and sensitivity of different classes of data. DLP solutions cover four main areas:

  • Network based—analyzes and protects data being transmitted through the network.
  • Storage based—protects stored data by assessing the security of sensitive data storage locations (such as file servers and databases).
  • Endpoint based—monitors data transfers originating from an endpoint, such as saving files to remote storage, sharing files through email or social media, printing, etc.
  • Content-aware—monitors, blocks, or applies security policies based on content type, metadata, or certain information found in the content.

Learn more in the detailed guide to DLP

What Is Endpoint Security?

Endpoint security solutions combine two layers of security:

  • A central platform that provides visibility and control over endpoints across the organization
  • An agent deployed on endpoints, which sends data for analysis and can perform actions on the endpoint, such as security scans

Here the main features provided by endpoint protection platforms (EPP):

  • Endpoint monitoring—detects abnormal behavior, and prioritizes alerts to help analysts identify real security incidents.
  • Advanced threat detection—can identify complex or unknown threats like fileless attacks and zero day malware.
  • Malware sandbox—sends suspected malware to a safe sandbox environment and “detonates” them to analyze their severity.
  • Integration with SIEM and threat intelligence—can combine endpoint alert data with threat feeds or other security event data.
  • Vulnerability shielding—applies virtual patches to endpoints to prevent known vulnerabilities, without requiring an update on the device.
  • Deception technology—setting up “honeypots” that appear as valuable targets for attackers, and can record attacker actions and techniques.
  • Response and remediation—most EPP solutions come with endpoint detection and response (EDR) technology, described in the following section.

Learn more in our detailed guides to:

Endpoint Detection and Response (EDR)

Endpoint Discovery and Response (EDR) was identified by Gartner as a new category of security tools in 2013. EDR solutions detect attacks on endpoint devices, and allow security teams to quickly access information from the endpoint to investigate the attack. Without EDR technology, security personnel have very little visibility into threats or malicious activity on remote endpoints.

In addition to providing access to information, an important feature of EDR is that security personnel can respond to attacks, by isolating endpoints, blocking malicious processes, or initiating automatic responses based on security playbooks.

EDR solutions consist of three main components:

  • Data collection – an agent deployed on the endpoint collects data about process execution, network communication, and user activity.
  • Detection engine – analyzes endpoint activity, detects and reports anomalies.
  • Data analysis engine – integrates endpoint data with threat intelligence and provides real-time analysis of security events.

Learn more in our detailed guides to:

eXtended Detection and Response (XDR)

XDR is the next generation of endpoint protection solutions. It is a technology that automatically collects information from multiple layers of security, and correlates it to quickly identify threats.

XDR tracks threats from many different sources in your organization, providing a comprehensive detection and response strategy across endpoints, servers, email systems, cloud environments, and application workloads.

XDR solves the problem of attacks that hide between security silos in your organization, and can be missed due to lack of integration between separate security tools. An XDR solution aims to connect separate security datasets, providing a unified attack story across the entire IT environment. This provides an additional benefit – improving productivity of security teams, because attacks can be investigated and remediated using one central platform.

Learn more in our detailed guides to:

Securing Endpoint and Networks with UBA

User behavior analytics (UBA), which later evolved into User and Entity Behavior Analytics (UEBA), is a security solution that profiles the day-to-day behavior of user accounts or entities like servers, applications or networks.

UBA/UEBA uses anomaly detection, based on machine learning techniques, to compare current behavior with the normal behavior of the specific entity and its peers (for example, other users in the same department). When it detects abnormal activity, it alerts security teams to the suspicious behavior.

An important part of modern UEBA systems is the use of thresholds to determine when to treat anomalies as a security threat. For example, if a user always starts at 8am, and then one day logs in at 7am, this is rare, but not unusual enough for investigation. UEBA tools measure the degree of anomaly by calculating a risk score. For example, a log in event at 4 or 5 am, combined with other anomalous characteristics (location, equipment used, other activities, etc.) may increase the risk to a level sufficient to raise an alert.

To learn more see the detailed guide about user behavior analytics (UBA/UEBA)

Ransomware Data Recovery

Backup is a critical defense against ransomware attacks. However, several steps need to be taken to prevent backups themselves from being attacked and encrypted by ransomware software.

To protect your backups from ransomware, follow these guidelines:

  • Keep backups offline – in a ransomware attack malware can attack anything that an infected system can access. As long as backups are connected to the network, they can be infected via an indirect path from infected endpoints to the backup server.
  • Use immutable storage – immutable object storage, also known as write once read many (WORM) can store and lock data in blocks to avoid changes. Many disk backup systems monitor changes to blocks on the disk to prevent files from being modified.
  • Use endpoint protection, especially on backup servers – endpoint protection platforms like EDR and XDR can detect ransomware-related processes on a device as soon as they start operating, even if the ransomware type is new and unknown to security researchers. These solutions can stop the ransomware process and isolate the infected device.
  • Increase backup frequency – backup frequency determines your recovery point objective (RPO), which is the maximal amount of data a ransomware attack can destroy. Important data should be backed up at least once an hour to reduce the damage of a potential attack.

Learn more in the in-depth guide to ransomware data recovery

The Compliance Aspect of Data Breaches: Data Privacy Regulations

Data breaches are not only damaging for an organization, but may place it in violation of regulations or industry standards. This may result in fines and other negative consequences. Below is a brief review of regulations that affect an organization’s data breach strategy.

Learn more about regulations around the world in the in-depth guide to data privacy regulations

U.S. Federal Privacy Regulations

The United States has not have a comprehensive federal data protection regulation. For example, the Federal Trade Commission Act (FTCA) does not specify what to include in a website’s privacy policy, but warns against “deceptive practices” and in general requires sufficient security for private data.

Other federal laws that apply to the collection of information online

  • Children’s Online Privacy Protection Act – applies to information about minors
  • Gramm Leach Bliley Act (GLBA) – regulates personal data collected by banks and financial institutions
  • Health Insurance Portability And Accountability Act (HIPAA) – applies to the collection of protected health information (PHI)

To learn more about protecting health data to comply with HIPAA, see the in-depth guide to health data management

HIPAA Breach Notifications

The HIPAA Breach Notification Rule requires companies to disclose security breaches. It applies both to Covered Entities (healthcare organizations, medical providers and practitioners), and Business Associates (who provide services to Covered Entities).

The HIPAA Breach Notification Rule may require organizations to notify individuals whose data was affected by the breach, the USA Office for Civil Rights (HHS/OCR), and/or the media. Violation of the rule can result in fines of up to $1.5 million per year, calculated per violation, or per PHI record exposed in the breach.

Learn more in our in-depth guide to HIPAA breach notifications

California Consumer Privacy Act (CCPA)

A significant regulation at the state level is the CCPA, the most comprehensive data protection law in the United States, which came into force in January 2020. CCPA places certain obligations on companies who collect or store information about California citizens. These include notifying the data subject when and how their data was collected, and giving them the ability to access and delete that information.

CCPA Data Breach Provisions

The CCPA gives California citizens the right to request statutory damage if their information was exposed in a data breach. This applies only to data breaches that meet three criteria:

  1. The data affected by the breach is “personal information” as defined by the California Data Breach Notification Law
  2. The data exposed was not encrypted or redacted
  3. The breach was a result of the failure of the organization to maintain reasonable security controls

Learn more in the in-depth guide to the California Consumer Privacy Act

European Regulations: GDPR

The EU General Data Protection Regulation (GDPR) regulates the collection, use, transmission, and security of data collected from residents of 27 European Union countries. It applies to any business that works with European citizens, regardless of where the company is based. Organizations that violate the GDPR can be fined up to 20 million Euro or 4% of global revenue.

GDPR Data Breach Notifications

What is the official GDPR definition for data breaches?

The GDPR requires organizations to notify relevant parties if they are breached. According to the Quick Guide to Breach Notifications, a breach that requires notification is an incident that:

  • Leads to accidental or malicious destruction, loss, modification, unauthorized disclosure, or encryption of personal data. “Personal data” means any information about an individual who is identified or may be identified based on the data.
  • Affects the confidentiality, integrity, or availability of the personal data.

72 hour deadline and possible fines

According to Article 33 of the GDPR, organizations need to report security breaches as defined above within 72 hours of detection of the breach. Breaches are reported to a Data Protection Authority (DPA), and in some cases, also need to be reported to individuals who were affected or to the press.

Failure to notify about a breach can result in a fine of up to 10 million Euro or 2% of global revenue. However, European authorities emphasize that fines are a last resort and will only be imposed on those who repeatedly and seriously violate the regulation.

Learn more in our in-depth guide to GDPR data breaches

Autonomous Data Breach Protection with Cynet

Cynet 360 is an autonomous breach protection platform that works in three levels, providing XDR, Response Automation, and 24/7 MDR in one unified solution. Cynet natively integrates these three services into an end to end, fully-automated breach protection platform.

Breach protection with Cynet incident response services:

CyOps, Cynet’s Cyber SWAT team, is on call 24/7/365, allowing enterprises of all sizes to get access to the same expert security staff that protect the largest enterprises. Here’s what you can expect from the CyOps incident response team:

  • Alert monitoring—continuous management of incoming alerts: classify, prioritize and contact the customer upon validation of active threat.
  • 24/7 availability—ongoing operations at all times, both proactively and on-demand per the customer’s specific needs.
  • On-demand file analysis—customers can send suspicious files to analysis directly from the Cynet 360 console and get an immediate verdict.
  • One click away—CISOs can engage CyOps with a single click on the Cynet Dashboard App upon suspicion of an active breach.
  • Remediation instructions—conclusion of investigated attacks entails concrete guidance to the customers on which endpoints, files, user and network traffic should be remediated.
  • Exclusions, whitelisting, and tuning—adjusting Cynet 360 alerting mechanisms to the customers’ IT environment to reduce false positives and increase accuracy.
  • Threat hunting—proactive search for hidden threats leveraging Cynet 360 investigation tools and over 30 threat intelligence feeds.
  • Attack investigation—deep-dive into validated attack bits and bytes to gain the full understanding of scope and impact, providing the customer with updated IoCs.

Learn how the Cynet Autonomous Breach Protection platform and the CyOps 24/7 incident response team can help you.

Cynet 360 provides cutting edge EDR capabilities:

  •  Advanced endpoint threat detection—full visibility and predicts how an attacker might operate, based on continuous monitoring of endpoints and behavioral analysis.
  • Investigation and validation—search and review historic or current incident data on endpoints, investigate threats, and validate alerts. This allows you to confirm the threat before responding to it, reducing dwell-time and performing faster remediation.
  • Rapid deployment and response—deploy across thousands of endpoints within two hours. You can then use it to perform automatic or manual remediation of threats on the endpoints, disrupt malicious activity and minimize damage caused by attacks.

Learn more about our EDR security capabilities.

Cynet 360 provides the following XDR capabilities:

  • Endpoint protection—multilayered protection against malware, ransomware, exploits and fileless attacks.
  • Network protection—protecting against scanning attacks, MITM, lateral movement and data exfiltration.
  • User protection—preset behavior rules coupled with dynamic behavior profiling to detect malicious anomalies.
  • Deception—wide array of network, user, file decoys to lure advanced attackers into revealing their hidden presence.

Cynet 360 can be deployed across thousands of endpoints in less than two hours. It can be immediately used to uncover advanced threats and then perform automatic or manual remediation, disrupt malicious activity and minimize damage caused by attacks.

Get a free trial of Cynet 360 and experience the world’s only integrated XDR, SOAR and MDR solution.

 

Network Attacks

Authored by Cynet

Threat actors often try to gain unauthorized access to the organizations’ network. Learn how to protect the organization against various types of network attacks.

See top articles in our network attacks guide:

 

Cyber Security Threats

Authored by Exabeam

Each year and each technological advancement brings with it new types of threats. Learn how to protect your organization against critical threats.

See top articles in our cyber security threats guide:

Advanced Threat Protection

Authored by Cynet

Advanced threat protection (ATP) solutions leverage various techniques to provide organizations with the real-time visibility and data awareness needed to detect and block advanced threats.

See top articles in our advanced threat protection guide:

Endpoint Security

Authored by Cynet

Threat actors often leverage endpoints to gain unauthorized access and launch various attacks. Endpoint security provides the visibility needed to detect and respond to endpoint threats.

See top articles in our endpoint security guide:

Endpoint Detection and Response (EDR)

Authored by Cynet

EDR cyber security helps organizations detect and respond to endpoint threats in a timely manner. Learn how EDR works, how it differs from EPP, and how to choose the right solution for your organization.

See top articles in our EDR guide:

 

eXtended Detection and Response (XDR)

Authored by Cynet

XDR solutions provide multilayered protection against endpoint threats, network threats, and user vulnerabilities. Learn how XDR works, how it differs from EDR, and what capabilities are provided.

See top articles in our XDR guide:

Data Loss Prevention (DLP)

Authored by Exabeam

Data loss prevention (DLP) practices and solutions help protect business information. Learn how DLP works, and what capabilities are provided by various types of DLP.

See top articles in our DLP guide:

User Behavior Analytics (UBA)

Authored by Exabeam

UBA tools, also known as user and entity behavior analytics (UEBA), analyze the behavior of users and leverage advanced analytics techniques to identify suspicious behavior.

See top articles in our user and entity behavior analytics guide:

Insider Threats

Authored by Exabeam

Insider threats perform malicious activity that can result in a breach or serve as a point of entry into the organizations systems. Learn about the types of insider threats and how to prevent and respond to these attacks.

See top articles in our insider threats guide:

Cloud Native Security

Authored by Aqua

Cloud native applications are designed especially for the cloud, rather than lifted and shifted or re-architected to accommodate cloud needs. Discover key cloud native security challenges and solutions.

See top articles in our cloud native security guide:

  • Cloud native applications

 

 

Data Protection

Authored by Cloudian

Data protection practices and tools help organizations ensure the protection of data that passes through the organization’s systems. Learn about key data protection techniques.

See top articles in our data protection guide:

Data Backup

Authored by Cloudian

Data backup is critical to ensure organizations can recover from various types of data losses. Learn how to successfully implement data backup techniques.

See top articles in our data backup guide:

 

AWS Backup

Authored by NetApp

Amazon Web Services (AWS) is a top cloud computing vendor, offering highly customizable tools, including a dedicated backup service. Learn how to leverage AWS backup tools and techniques.

See top articles in our AWS backup guide:

Azure Backup

Authored by NetApp

Microsoft Azure is a popular cloud computing vendor, offering enterprise-grade solutions, including backup and recovery services. Discover key Azure backup tools and techniques.

See top articles in our Azure backup guide:

Google Cloud Backup

Authored by NetApp

Google Cloud Platform (GCP) is a widely used cloud computing vendor, offering scalable and cost-effective services. Learn about popular backup options and techniques offered by Google Cloud.

See top articles in our Google Cloud backup guide:

Ransomware Data Recovery

Authored by Cloudian

Ransomware attacks prevent access to critical databases, systems, and networks. Learn how ransomware attacks work, and key techniques to recover your data.

See top articles in our ransomware data recovery guide:

 

Data Privacy Regulations

Authored by NetApp

Data privacy regulations are lawfully authorized to audit and fine organizations that are not-compliant. Learn about key regulatory entities and how to achieve compliance.

See top articles in our data privacy regulations guide:

  • Data Privacy Regulations on 4 Continents
  • GDPR Subject Access Request in 5 Steps
  • California Consumer Privacy Act: 6-Step Compliance Checklist

Health Data Management

Authored by Cloudian

Healthcare data is highly sensitive, containing massive amounts of patients’ private information. Learn how to leverage Health Data Management (HDM) practices and tools to protect healthcare data.

See top articles in our health data management guide:

Additional Data Breach and Data Security Resources

Below are additional articles that can help you learn about data security topics.

Next Read