I am talking about the hacks based on obtaining user credentials with a phishing attack or social engineering. For example, the recent Anthem breach (80MM health records stolen) took advantage of a name change in the company (formerly WellPoint) and set up a bogus site with a similar sounding name but the L was replaced with a 1. They eventually got a sysAdmin at Anthem to login to the fake site and then they had the necessary credentials to login and start copying unencrypted records to a cloud storage location at a slow enough pace not to alarm other indicators. It was finally discovered when the sysAdmin noticed a recent login that they knew they didn’t make.
Another is exploiting zero-day weaknesses that are published at the time of software release. The Target point of sale exploit took advantage of a known defect and exploited it with a vendor login having decreased privileges but sufficient to put the skimming software at the point of sale. Many exploits are remarkably successful months after a fix is available. For instance - the SQL Slammer worm in 2003 shut down the internet within 15 minutes of being released by exploiting a published weakness that had been known for months. Too many users failed to patch their MS SQL Servers and MSDE instances and the rest is history.
Very few breaches are the level of sophistication you see in stuxnet - which is still a problem for Microsoft and IE. That virus targeted a specific Siemens PLC known to be used in Iranian nuclear processing plants. Since they did not adhere to what nuclear engineers refer to as “separation criteria” all of their PLC’s were incapacitated. (Separation criteria would dictate that two channels in every critical system use separate technology and are physically separated). For us, there are a few single points of failure that could cause problems - namely, a worm in MongoDB or nodeJS would shut us down. An extremely high reliability installation would use CouchBase (for instance) on AWS as a backup to mongoDB running on a Windows Azure VM - both “channels” using separate technologies, ideally.
But I am not a security specialist. I do rely on Krebs website for the latest on what is happening in security issues.