Vulnerabilities can have an effect on many parts of an organization. In this video, you’ll learn about data loss, identity theft, financial loss, reputation impacts, and availability loss.
<< Previous Video: Third-party Risks Next: Threat Hunting >>
In February of 2018, the United States Council of Economic Advisors produced a report called The Cost of Malicious Cyber Activity to the US economy. And they found that the costs were between $57 and $109 billion in the year of 2016. This is a significant financial issue, and one that we need to be concerned with regardless of our organization. Of course, the impacts of vulnerabilities are not just associated with finances, there are many other concerns that we’ll talk about in this video as well. It is these costs and effects of vulnerabilities that drive us in security to make sure our systems are as safe as possible.
One result of vulnerabilities may be the loss of data, and in some cases losing the data may be more damaging than losing money. For example, a database that has no password or is using default passwords can be at risk for losing the data within that database. An example of this data loss started in July 2020 with what the internet is calling the meow attack. This is databases that had no password or were using the default password, and all of the information in this database was being deleted without any type of warning.
Researchers who were tracking this attack, say that thousands of databases has been deleted and instead of the data being in the database, all of that information has been replaced with the word, meow. This is an extreme example of what can happen if databases are not properly secured, and another reason why it’s very important to always have a backup. Some attackers don’t delete the data, but instead prefer to steal the data and then use that data for their own purposes.
A good example of this is the identity theft that occurred between May and July of 2017 at Equifax. Equifax stored information of over 147.9 million Americans, over 15 million British citizens, and over 19,000 Canadian citizens. The attackers were able to gain access to names, social security numbers, birth dates, address information, and more. With all of this information, they’re then able to steal people’s identities, open up new lines of credit, and create problems for all of the people affected by this theft.
The vulnerability that allowed this particular identity theft, was a vulnerability in Apache Struts that was announced on March the 7th. Attackers took advantage of a system that was not patched, on March the 12th got into the Equifax network, and were able to remove all of this data from their systems. This was such an extreme attack with such a large amount of data, that both the CIO and CIS were asked to leave the organization and ultimately Equifax paid over half a billion dollars in fines for this particular breach.
And of course, these vulnerabilities can cause financial loss as well. This particular example is in March of 2016 at the Bank of Bangladesh, and this is around a vulnerability that took advantage of the Society for Worldwide Interbank Financial Telecommunications, or what the industry refers to as SWIFT. Attackers sent messages over the SWIFT network to transfer nearly $1 billion from accounts at the Bank of Bangladesh to accounts that are in the Philippines and Sri Lanka.
Fortunately, for the Bank of Bangladesh, most of these requests were rejected because they were not formatted properly when they were sent. However 35 of the requests were processed and the bank lost $81 million that got laundered through the Filipino Casino industry. This is not the first time that this particular type of vulnerability resulted in financial loss. A similar swift vulnerability has taken $12 million from Wells Fargo, and $60 million from the Taiwanese Far Eastern International Bank.
Of course, getting hacked is not very good for public relations, and it can make your organization have an impact to its reputation. In many countries there’s laws that require an organization to disclose the results of a hack. And in some cases, especially with public companies, that can have an effect on the company’s value, especially in the stock market.
An example of one of these reputation impacts occurred in October of 2016 with the company Uber. This particular breach allowed attackers to gain access to 25.6 million customer names, email addresses, and mobile phone numbers. Instead of disclosing this breach, Uber instead decided to have the hacker sign a non-disclosure agreement and gave them $100,000 to not say anything. Ultimately, the pressure regarding this breach required Uber to announce the hack in November of 2017, and in 2018 they paid $148 million in fines.
The hackers associated with this breach pleaded guilty in October of 2019. And to continue the reputation impact to Uber, Uber’s former Chief Security Officer was charged with obstruction of justice, and misprision of a felony. If you don’t lose any data and you don’t lose any money, you could still lose uptime and availability. Someone taking advantage of a vulnerability could cause outages, downtime, and cause a system to become unavailable. A good example of this are the outbreaks of ransomware that we’re seeing that are bringing down some of the world’s largest networks.
For example, in September of 2021 of Chile’s largest banks Banco Estado was attacked with ransomware that took out all of their internal systems. The bank was effectively out of business internally, and were not able to process anything on their internal network. Fortunately, their network was segmented and the public facing services were still up and running. The bank had to delete everything that was on these internal systems, restore from known good backups, and that process caused the bank to be out of business for an extended period.