How to get breached: 5 most common attack vectors

26 December, 2024

Dear disgruntled employee (let’s call you Mallory):
Tired of working long hours with no holidays, all for a boss who just doesn’t get it? Here’s your golden opportunity to make them pay! This blog will teach you the ultimate ways to ensure a data breach that’ll leave your boss (let’s call him Bob) sleepless. Revenge has never been so… educational.

Dear employer (let’s call you Bob):
Don’t worry, this is all satire. Of course, no employee would dare exploit these vulnerabilities in your organization. But, just in case you do have a Mallory lurking in your workforce—or perhaps even an accidental one—this blog provides actionable tips to keep your systems safe. After all, a joke is only funny until it becomes reality.

Now, for the rest of you, aside from the humor, this blog offers real lessons on how to prevent a data breach and improve your security practices. The blog is inspired by a true stories provided by “Verizon 2024 Data Breach Investigations Report”. We’ve condensed the key insights into something both informative and entertaining.

Key takeaways on how to prevent a data breach:

  • Stolen credentials systematically account for over 30% of breaches in the past decade year after year. Most attackers exploit credentials to access web applications and cloud services.
  • Exploitable vulnerabilities: Breaches due to known third-party vulnerabilities have tripled since 2023, comprising 15% of incidents.
  • Social engineering: A rising favorite, often originating from phishing or spear-phishing campaigns and leading to many types of data breaches as well as ransomware.
  • Denial of Service (DoS): Cheap, easy and incredibly disruptive if timed right.
  • Privilege misuse: Insider threats remain a real problem, whether malicious or accidental.

Luckily most of these problems are human-related (68%). Unluckily, it is easier to harden a system than the human. By the way that number is without taking into account any malicious intent, which would bring it to the 76%.

Time to help Mallory wreak havoc 😈.

Reuse passwords everywhere (breach probability: over 30%)

Now Mallory, the easiest way to make sure Bob’s company gets breached is obviously throwing your password in plain text on a forum somewhere. Now, you can’t really do that because Bob will sue you. To make sure you have plausible deniability here is what you can do.

  1. The quickest way to invite attackers into your system is by reusing the same password across multiple accounts. It is sufficient for one weak system to store your password in plain text or leak it in any other ways.
  2. Make sure your password is very easy to guess. I know, Bob has all these foolish password rules. Here is the best password I’ve seen in years: Password1@. In case his password checker is stronger than that, go for <html>Password1@</html>. No way any password checker is going to flag that.
  3. Every time you are asked to change your password (because of yet another foolish rule) just make sure your new password is almost the same except for 1 character. Password2@, Password3@, Password4@…. I’m sure you know what to do.

How to prevent data breaches caused by credentials attack vector

  • Make password manager mandatory across your organization. Honestly, I haven’t seen this in any of the best practice standards out there.
  • DO NOT – I repeat – do not make mandatory password rotations. Instead, make sure passwords are strong enough (OWASP ASVS best practice).
  • When coming up with password rules please don’t make the life of humans unbearable. Actually neither OWASP ASVS nor NIST SP 800-53 recommend having any password character rules. In other words, no numbers, no special signs. Here is a really really hard password that only has letters in it: hsrllrllhrdpsswrdthtnlhslttrsnt, i.e., the passphrase based on all consonants in the first part of this sentence. However do make sure you have a really advanced password strength meter in place.
Example of a very strong password based on a passphrase
Example of a very strong password based on a passphrase

Ignore supply chain risks (breach probability: over 15%)

Supply chain attacks are a treasure trove. Here’s how to help Bob suffer:
  1. Disable autoupdates across the board, especially if you are in charge of maintaining the corporate website in WordPress.
  2. Ignore patching and updating efforts entirely.
  3. Misclassify all vulnerable dependencies as “low risk” or, for fun, over-triage everything as “critical.”.
  4. Forget about aligning your suppliers with your own security standards.

How to prevent data breaches caused by supply chain vulnerabilities

Click all email links (breach probability: over 15%)

Mal, if you receive an email, especially one that requires a prompt action, make sure to follow whatever it says.

  1. Click on any link that promises financial rewards.
  2. Open attachments, especially suspicious ones, and grant all permissions they ask for.
  3. Forward phishing emails to Bob—you might infect his machine too!
  4. Don’t forget the SPAM folder.

Best practices to combat social engineering

  • Use anti-ransomware tools to block harmful emails and quarantine phishing attempts.
  • Provide regular, bite-sized security awareness training to your employees.
  • Track and follow up on employees who click on phishing links. Make sure to include a feedback loop from this activity to the training.

Hire Denial of Service (DoS) as a Service

I know Mal, this isn’t really what you were hoping to hear. You now have to pay for the payback. The cost of a DoS attack isn’t that much if you look for it on the Dark Web. Don’t worry, if you time this right, Bob is going to squirm. Moreover, see the next tip and you might even make some profit. So pick a moment to organize a DoS attack to maximize the damage.

How to defend against DoS attacks

  • Use a strong anti-DoS solution (e.g., Cloudflare).
  • Eliminate outdated DNS entries that might expose your real server IP.
  • Develop business continuity plans (e.g., take a look at NIST SP 800-34 and it’s handy implementation in the SAMMY tool).
  • Leverage threat modeling to identify weak spots and add rate limiters to critical functions.

Misuse privileges

Great news, Mallory. You can misuse your privileges and sell some data to the highest bidder. You can actually make money and make Bob pay with his data. There is some issue though to make sure you have some plausible deniability in the story though. In any case even if you don’t, it won’t be very easy for Bob to prove it was you.

How to prevent data breaches caused by misuse and malicious intent

  • Enforce the principle of least privilege: no access unless absolutely necessary.
  • Regularly audit access logs and processes for granting and revoking privileges.
  • Tighten employee off-boarding procedures to prevent former employees from exploiting their old access.

Final thoughts

While Mallory’s sabotage guide may seem humorous, the consequences of these actions are all too real. Data breaches not only hurt organizations financially, but also damage reputations and trust.

For employers, the solution lies in proactive measures: implementing strong processes, investing in training, and continuously monitoring for vulnerabilities. Preventing a data breach requires a holistic approach to security. Remember, security is a journey, not a destination.

Sources and helpful links

Author

Aram is the founder and the CEO of Codific. With over 15 years of experience, he has a proven track record in building complex software systems by explicitly focusing on software security. Aram has a PhD in cybersecurity from DistriNet KU Leuven. His contributions to the refinement and streamlining of the LINDDUN privacy engineering methodology have been incorporated into ISO and NIST standards. Aram is also a core contributor to OWASP SAMM project and the architecture and security mentor for all our teams.
If you have questions, reach out to me hereContact

Related Posts