I've got my favorite data breaches in terms of lessons learned. I confess that I focus a lot on the social angles and techniques.
Here are my favorite hacks in terms of lessons learned:
- Edward Snowden data breach
- Target data beach
- Sony data breach
- Ashley Madison data breach
- Countless POS breaches
Snowden data breach
To me the fascinating part is the total lack of access detection. I won't go into how (via what little is known) he got all the data, but to me the obvious missing part was logging of access to data. I'm fascinated by data exfiltration techniques that are based upon DLP. It's so easy to circumvent, simple data access logging and a system based upon using big data techniques for detecting unusual or large volumes of access would have been invaluable.
Target data breach
Where to begin… To me the fascinating part was segmentation, remote access and VPNs in general. It's a great case in point of being aware of who outside your organization has access to your data via various RAS (Remote Access Server) solutions or "partner" VPN networks.
Sony data breach
This one was fascinating because it got so much visibility and government assistance. In large part, the outcry wasn't based upon the intellectual property that was lost but rather the embarrassing personal Emails that were leaked. Lesson learned there's a big difference in IT between losing someone else's data (e.g. credit card) versus your own or their private data. It set the stage for Ashley Madison.
Ashley Madison data breach
I think this is the first one that got people to really take notice that their own personal actions or secrets might be laid bare by the inadequate security of others. So many personal tragedies and suicides. While we could argue about the moral aspects, the real surprise here again is that people really don't want THEIR data lost or THEIR reputation affected by what has been mostly nuisance financial breaches.
This one will set the stage for some fascinating blackmail stories in the future of high value targets. I expect we will also see some fascinating future cases very soon of using exposed passwords that were shared to other sites now involving other sensitive data (banks, healthcare, etc.). The lesson learned too was good security standards poorly implemented is still poor security.
Countless POS breaches
Well, it's old news, but I'm tired of the lack of adherence to PCI standards. For the record, adherence to PCI standards does NOT create cyber security. However, lack of adherence to PCI standards will GUARANTEE data breaches and I suspect will yield to criminal negligence cases in the near future. Any corporate executive that on record falsified a PCI audit will need to be held accountable in the future.