An Expert Reporter Interviewed Security Experts to Come Up with 6 Lessons Learned from Past Data Breaches That Could Help Stop Future Ones
Einstein said “The only source of knowledge is experience.” While Oscar Wilde observed that “Experience is simply the name we give our mistakes.”
When it comes to data breaches, both Einstein and Wilde are right on target (The reference to Target in this instance was purely coincidental…maybe) . Anyway, without mistakes, there wouldn’t be breaches. But from those breaches comes the experience to avoid mistakes in the future.
In her piece on csoonline.com, Maria Korolov, a veteran tech reporter, interviewed a number of security professionals to pass along what they learned from studying the score of high-profile breaches that retailers, banks, consumers, government agencies et al. have suffered. The following has been excerpted from her piece and edited to fit our format. You may find the full article by clicking on this link.
1. It’s time to take staffing seriously
The biggest security hole in information security might not be technical at all.
“Roughly 40 percent of security roles are vacant in 2014,” said Jacob West, CTO of Hewlett Packard’s Enterprise Security Products. “And when you look at senior security roles, that vacancy rate is nearly 49 percent. No matter what technology we use, no matter how we try to secure our systems, if we’re going into this war with almost half of our army unstaffed, we’re going to see our adversaries be successful.”
West was referring to a study published this spring by the Ponemon Institute and sponsored by HP, which also showed that 70 percent of respondents said that their security organizations were understaffed. The chief reason? According to 43 percent of respondents, the organizations weren’t offering competitive salaries.
Companies might want to reconsider their security staffing budgets in the wake of another Ponemon study, sponsored by IBM and published in May, which showed that the average total cost of a data breach increased 15 percent to $3.5 million, and the average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9 percent from $136 in 2013 to $145 in this year’s study.
2. Know your code
Over the past 10 years, many organizations have adopted software security best practices, building in security at a fundamental level. However, that only applies to code they write themselves.
“One of the big points that was really brought to light this year …is that enterprises don’t write the majority of software themselves,” said HP’s West. “Software is in fact composed rather than written. We take commercial components and open source components and build a little bit of proprietary on top of that.”
As a result, some organizations spent weeks – even months – trying to inventory their systems and figure out where they’d used the vulnerable version of SSL.
Organizations need to start with a thorough understanding of what applications they’re using, where and how they’re using them, and their relative importance. Automated scanning systems might help with some of this, but at the end of the day, “the rubber has to hit the road,” West said. “It takes human effort.”
3. Pen tests are lies
Penetration tests are a common part of security audits. In fact, they’re required under the Payment Card Industry Data Security Standard.
“Every single company that’s been breached has had a penetration test report that says that people can’t get in – or if they can get it, it’s not important,” said J.J. Thompson, CEO of Rook Security, a penetration testing company in Indianapolis.
So why aren’t penetration tests exposing potential security holes so that companies can fix them?
“It’s very simple,” said Thompson. “Penetration test reports are generally lies.”
Or, to be less blunt, penetration testers are more constrained in what they can and cannot do, compared to actual hackers. “You can’t impersonate someone because that’s not how we do things here,” Thompson said. “You can’t set up a phishing site associated with a Facebook profile because that’s going too far.”
Actual hackers – who are already breaking the law anyway, by hacking into a company – might not be averse to breaking other laws, as well. A white hat security firm might be less willing to, say, get into a company by going after the systems of its customers or vendors. Or impersonate government officials, or damage equipment, or hijack actual social media accounts owned by friends or family members of company employees.
4. Physical security, meet cybersecurity
Agents of a foreign group recently went after an organization on the East Coast, circumventing firewalls, extracting data on its leadership, and getting information about upcoming events – and the facilities where those events would be taking place.
“Authorities believed it was part of the pre-operational planning of the group,” said John Cohen, who until recently was the anti-terrorism coordinator and acting undersecretary for intelligence and analysis at the Department of Homeland Security.
“There’s a blending together of physical security and cybersecurity,” said Cohen, who is now the chief strategy adviser at Frisco, Texas-based security vendor Encryptics LLC.
It can go the other way, too, with a physical break-in opening the way to digital theft via compromised equipment.
Enterprise security must become more holistic. The thieves who broke into a field office could have been looking for easy-to-fence electronics, or they could have been planting keyloggers.
5. Plan for failure, Part 1
If you knew with certainly that hackers were going to get into your systems, what would you do differently? After this year’s high-profile breaches, a lot of people are asking themselves that question, and starting to look at security differently.
“The way that I look at it, and the people I talk to on a day to day basis look at it, there’s a switch in mentality,” said Scott Barlow, the chair of the CompTIA’s IT Security Community and vice president of product management at Boston’s Reflexion Networks, Inc. “Businesses are assuming that their data will be exposed, or is already exposed, and they’re taking steps.” Those steps include encrypting data on employee desktops, in file servers, even email.
And a process called tokenization replaces bank card numbers with randomly generated codes, or tokens, even before they leave point of sale devices. Only the payment processor knows the real numbers – the retailers get tokens, which are completely worthless to any hackers who break into their systems.
That turns the payment processors into targets – but then, they always have been.
“Guys are already going after us,” said Paul Kleinschnitz, senior vice president and general manager of Cyber-security Solutions for FirstData, which accounts for about 40 percent of the payment processing in the U.S.
Meanwhile, the Targets and the Home Depots will be insulated from the risk of losing the payment data.
“We are pulling that burden away form the merchants and managing it,” Kleinschnitz said.
6. Plan for failure, Part 2
If JP Morgan can be breached, every company is vulnerable. “Even if you have the best security in place, there’s still a chance that you may be breached,” said Peter Toren, an attorney specializing in computer crimes at Washington D.C. law firm Weisbrod Matteis & Copley. Toren was also a federal prosecutor for eight years, in the Justice Department’s computer crimes division.
How a company reacts to that breach can make a big difference.
Both Target’s CEO and CIO lost their jobs this spring as a result of the problems the company had in dealing with the consequences of its $40 million payment card accounts breach late last year.
“It came out in drips,” said Toren. “It was the death of a thousand cuts.”
Companies need to be prepared to deal with a breach transparently and promptly – and preparations have to start long before a breach ever happens.
“They need to have a plan in place and work with a public relations firm beforehand,” he said. “Not just bring one in after the horse is out of the barn.”
ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.
ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.
The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.
For more information, visit www.threatmetrix.com or call 1-408-200-5755.
Join the cybersecurity conversation by visiting the ThreatMetrix blog, Facebook, LinkedIn and Twitter pages.