Year and Organization Mitigation Techniques

2010 Microsoft [19] 1. Data Encryption and Privacy

Preservation:
 This solution can help protect
the stolen employee contact
information. By encrypting
sensitive data, even if it falls into
the wrong hands, it would be
unreadable and unusable.
2. Access Control and Identity
Management:
 Implementing stricter access
controls and multi-factor
authentication (MFA) can help
prevent unauthorized access to
the BPOS system. It ensures that
only authorized users can access
sensitive information.
 an incident response plan in
place is also crucial to respond
effectively if another breach
occurs.

2012 Dropbox [20] 1. Access Control and Identity

Management:
 Implementing strict access
controls and multi-factor
authentication (MFA) is crucial
for preventing unauthorized
access to Dropbox accounts.
This ensures that only
authorized users can access user
data and settings.
2. Proactive Security Audits and
Vulnerability Assessment:
Regular security audits and vulnerability
assessments can help identify and address
weaknesses in Dropbox's infrastructure. This
proactive approach helps in fixing
vulnerabilities before they can be exploited.
3. Timely Patch Management:
 Keeping Dropbox's software and
applications up-to-date with
security patches is essential to
reduce the risk of exploitation
 due to outdated software.
4. Real-time Security Monitoring and
Incident Response:
 Employing robust monitoring
tools and incident response
plans is vital to detect and
respond to security incidents
promptly, including
unauthorized access or unusual
account activity.
5. Employee Education and Training:
 Educating Dropbox users about
security awareness and best
practices can help prevent
human-related security
incidents, such as falling victim
to phishing attacks or improper
configuration of security
settings.

2014 Home Depot [21] 1. Enhanced Security Measures for Point-

of-Sale Terminals:
 Implement advanced encryption
and tokenization techniques to
secure credit card data during
transactions.
 Strengthen access controls and
ensure that only authorized
personnel can access and
configure point-of-sale
terminals.
2. Real-time Security Monitoring and
Incident Response:
 Employ robust monitoring tools
and intrusion detection systems
to detect abnormal activities
early.
 Establish a comprehensive
incident response plan that
outlines communication
protocols, containment
strategies, and recovery
techniques.

2016 National Electoral Institute of Mexico [22] 1. Data Encryption and Privacy
 Preservation:
 Implement advanced encryption
techniques to secure sensitive
voter registration information
both during transmission and
while at rest. Encryption can
render the compromised data
unreadable and unusable for
unauthorized individuals.
2. Access Control and Identity
Management:
 Strengthen access controls to
limit user access to necessary
data and services related to
voter registration.
 Implement multi-factor
authentication (MFA) to add an
extra layer of security to user
accounts and prevent
unauthorized access.
3. Proactive Security Audits and
Vulnerability Assessment:
 Conduct regular security audits
and vulnerability assessments to
identify and address weaknesses
in the National Electoral
Institute's systems and
databases. Proactively
addressing vulnerabilities can
prevent data breaches.
4. Timely Patch Management:
 Keep software and databases
up-to-date with the latest
security patches to prevent the
exploitation of known
vulnerabilities by malicious
actors.
5. Real-time Security Monitoring and
Incident Response:
 Employ robust monitoring tools
and intrusion detection systems
to detect abnormal activities
early, including unauthorized
access or data leaks.
 Develop a comprehensive
incident response plan outlining
 communication protocol,
containment strategies, and
recovery techniques to address
breaches promptly.
6. Employee Education and Training:
 Continuously educate and train
employees in security awareness
to prevent human-related
security incidents. This includes
educating staff about data
protection best practices and
the importance of safeguarding
sensitive voter information.
7. Vendor Assessment and Compliance:
 Rigorously assess third-party
vendors and their compliance
with security standards when
they have access to sensitive
voter registration data. Ensure
they meet strict security
requirements.

2016 Uber [23] 1. Data Encryption and Privacy

Preservation:
 Implement advanced encryption
techniques to secure sensitive
user data and driver's license
information both during
transmission and while at rest.
Encryption can render the
compromised data unreadable
and unusable for unauthorized
individuals.
2. Access Control and Identity
Management:
 Strengthen access controls to
limit user access to necessary
data and services related to user
accounts and driver information.
 Implement multi-factor
authentication (MFA) to add an
extra layer of security to user
accounts.
3. Proactive Security Audits and
Vulnerability Assessment:
  Conduct regular security audits
and vulnerability assessments to
identify and address weaknesses
in Uber's systems and
databases. Proactively
addressing vulnerabilities can
prevent data breaches.
4. Timely Patch Management:
 Keep software and databases
up-to-date with the latest
security patches to prevent the
exploitation of known
vulnerabilities by malicious
actors.
5. Real-time Security Monitoring and
Incident Response:
 Employ robust monitoring tools
and intrusion detection systems
to detect abnormal activities
early, including unauthorized
access or data breaches.
 Develop a comprehensive
incident response plan outlining
communication protocol,
containment strategies, and
recovery techniques to address
breaches promptly.
6. Employee Education and Training:
 Continuously educate and train
employees in security awareness
to prevent human-related
security incidents. This includes
educating staff about data
protection best practices and
the importance of safeguarding
user and driver information.
7. Vendor Assessment and Compliance:
 Rigorously assess third-party
vendors and their compliance
with security standards when
they have access to sensitive
user and driver information.
Ensure they meet strict security
requirements.
2017 Yahoo [24]
Access Control and Identity Management:

 Implement strict access controls to limit

user access to necessary data and
services.
 Enforce multi-factor authentication
(MFA) to add an extra layer of security
to user accounts.

This solution directly addresses the issue of

unauthorized access and session hijacking,
which was the primary method of the breach.
Implementing strong access controls and MFA
can significantly enhance user account security
and reduce the risk of similar incidents in the
future. Additionally, Yahoo should conduct a
thorough investigation to understand how the
breach occurred and take steps to address any
vulnerabilities that led to the session hijacking.

2021 LinkedIn [25]

Access Control and Identity Management:

 Implement strict access controls to limit

user access to necessary data and
services.
 Enforce multi-factor authentication
(MFA) to add an extra layer of security
to user accounts.

This solution is particularly relevant because it

directly addresses the issue of unauthorized
access and helps prevent unauthorized scraping
of user data. By strengthening access controls
and implementing MFA, LinkedIn can enhance
the security of user accounts and reduce the
risk of similar incidents in the future.
Additionally, LinkedIn should monitor for
suspicious activities, employ intrusion detection
systems, and take legal actions against those
involved in the data scraping and sale.
Task 2)

Cloud Regulatory Bodies

7. The Federal Information Security Management Act (FISMA): FISMA is a U.S. federal law that
requires federal agencies to develop, document, and implement information security
programs. It establishes a framework for managing and securing government information
systems, including those that utilize cloud services.
8. Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is a set of security
standards designed to ensure that companies that accept, process, store, or transmit credit
card information maintain a secure environment. While it primarily focuses on payment card
data, its principles are relevant to cloud service providers handling such data.
9. Cybersecurity Maturity Model Certification (CMMC): CMMC is a framework developed by
the U.S. Department of Defense (DoD) to assess and enhance the cybersecurity posture of
defense contractors and subcontractors. It mandates specific cybersecurity practices for
organizations providing cloud services to the DoD.
10. Information Commissioner's Office (ICO): ICO is the UK's independent regulatory authority
for data protection and privacy. It plays a significant role in overseeing data protection and
privacy compliance, which includes cloud services operating within the UK. ICO enforces the
General Data Protection Regulation (GDPR) in the UK.
Name Purpose Links
1 European Enhances EU https://european-union.europa.eu/institutions-law-budget/
Union Agency cybersecurity institutions-and-bodies/search-all-eu-institutions-and-bodies/
for and provides european-union-agency-cybersecurity-enisa_en
Cybersecurity cloud security
(ENISA): guidelines.
2 General Data Establishes https://gdpr-info.eu/
Protection strict data
Regulation protection
(GDPR) standards for
personal data
in the EU.
3 National Offers a https://www.nist.gov/
Institute of comprehensive
Standards and cloud
Technology framework,
(NIST) including
security and
privacy
guidelines.
4 International Sets global https://www.iso.org/home.html
Organization cloud-related
for standards for
Standardization security and
(ISO): data
protection.
5 Cloud Security Provides https://cloudsecurityalliance.org/
Alliance (CSA) industry best
practices and
tools for cloud
security.
6 Federal Risk Standardizes
and security https://www.fedramp.gov/
Authorization assessments
Management for U.S. federal
Program agency cloud
(FedRAMP) adoption.

7 The Federal Requires https://www.techtarget.com/searchsecurity/definition/Federal-

Information federal Information-Security-Management-Act
Security agencies to
Management establish cloud
Act (FISMA) security
programs.
8 Payment Card https://www.pcisecuritystandards.org/
Industry Data
Security Ensures secure
Standard (PCI handling of
DSS) credit card data
within cloud
services.

9 Cybersecurity Assesses and https://dodcio.defense.gov/CMMC/about/

Maturity Model enhances
Certification cybersecurity
(CMMC) for defense
contractors and
subcontractors.
10 Information Enforces data https://ico.org.uk/
Commissioner's protection
Office (ICO) regulations,
including
GDPR, within
the UK.