The bleeding of private data never seems to stop. This week, StockX announced that 6.8 million records were exposed. Last week it was CapitalOne announcing a significant data breach of over 100 million records, Honda announcing the exposure of the details on their internal network and 21 million user records owned by a bookseller in Mexico, Librería Porrúa being held for ransom.
Cybercriminals need user credentials, attack frameworks and infrastructure like a Bulletproof Proxy to launch large scale automated attacks. The data stolen from StockX and CapitalOne provides a fresh set of user information to cybercriminals that can be used in future attacks. Cybercriminals rely on the fact that 52% of us reuse passwords so that, so the information can be used against the vendor themselves, or other web application properties.
The Honda incident is as troubling as the large scale user breaches of late because it provides a valuable set of endpoints a Bulletproof Proxy vendor might try to add to their network of compromised devices that in turn can be used in an automated attack. This growing class of cybercriminal infrastructure enables users to hide their malicious activity in plain sight, using seemingly legitimate logins and account creation transactions that appear to emanate from equally legitimate IP addresses.
Looking beyond the impact of the ongoing onslaught of security incidents, one has to ask the question of why this continues to happen. In many cases, it comes back to human error. The data released in the CapitalOne incident indicates a configuration error. No doubt both of the other incidents mentioned were errors of some sort. There is another legitimate reason. There is no silver bullet to prevent these incidents. Due diligence, best practices, continual auditing and monitoring can help minimize your risks. Here are three recommendations I can make off the top of my head.
- Understand your exposure. Make sure developers are using updated applications, patched against any known vulnerabilities. Both Elasticsearch and MongoDB are widely used and have known vulnerabilities. Attackers know this and can easily search for them using tools like Shodan, then move on to the next step of exploiting the vulnerability. Plug those holes and put a process in place to keep them plugged.
Increasingly, the data lost in these incidents is used in large scale, automated bot attacks. This class of attack looks legitimate and target your public facing web, mobile and API-based applications. Any organization that uses an account-based infrastructure requiring user logins to access the products and services you offer can be considered a target for these attacks. Threat modeling and visibility tools can monitor your public facing applications, potentially looking for spikes in login attempts, increased password reset activity, or a large volume of incomplete shopping transactions.
- Reduce complexity and look for points of leverage. Every customer we talk to says they have too many security products and they are not talking to each other. Consolidate similar security technologies (network, application, endpoint, etc.) and choose solutions that have rich APIs that enable inbound and outbound integration with your existing security infrastructure.
- Look for ways to bake security into development. Many organizations are moving to rapid, iterative development methodologies where traditional change-control oriented approaches to security can slow development, or worse yet, lead to security incidents. Baking security into the development workflow means applications can be deployed at speed in a secure manner.
Cequence can help protect your organization from automated bot attacks and targeted application vulnerabilities.
Download our latest research to learn more about how bad actors are leveraging Bulletproof Proxies to launch sophisticated attacks: