2018’s headlines only underscored the need for robust data security. As if to add a whopping exclamation point to the end of the year, the massive Marriott/Starwood Resorts data breach (announced in November) saw an estimated 327-500 million records compromised.
With the relentless parade of breaches in the headlines (2018 saw over two billion records breached), money has been pouring into companies offering data security solutions. In 2018 alone, Chris Ahern, a principal at Strategic Cyber Ventures, estimates that “venture capitalists invested $5.3 billion in cybersecurity companies.” While he does not think 2019 will quite hit that number, there will likely still be a continued flow of cash to cybersecurity companies.
The stream of VC cash should signal good news for the average company trying to keep their sensitive data safe. This means that cybersecurity companies will have the money to innovate and bring to market the tools the infosec community needs to combat external and internal threats.
But there is an elephant in the room that could be lost by the wave of cash flowing into the infosec space. Namely: If companies do not follow cybersecurity best practices, no amount of innovative products is likely to help.
Why? Consider this: A recent survey conducted of SQL Server users at the 2018 PASS Summit last November saw that roughly 50% of those surveyed were not, or did not know if they were, encrypting their sensitive data at rest. Let that sink in. Roughly one out of two companies could not say with confidence that their sensitive data was protected while at-rest. Even though encryption for sensitive data at rest is a known best practice and now-a-days fairly easy to deploy (with Enterprise edition or a third-party vendor); half of all companies surveyed could not say that this fundamental practice was enforced.
A recent example of an organization not using data security best practices: the case of notorious drug lord, El Chapo. Joaquín Guzmán Loera, a.k.a. El Chapo, had hired Christian Rodriguez to develop an encrypted communications system. Everything was going well. The system worked flawlessly, giving El Chapo and his minions complete freedom to talk openly over the phone without fear of being listened to. In fact, there was no need to talk in code or only meet face-to-face. Or so they thought.
In truth, the FBI was listening in for a little more than a year. Authorities gathered “200 digital phone calls of him chatting with his underlings, planning ton-sized drug deals and even discussing illicit payoffs to Mexican officials.”
How was the FBI able to pull it off? They convinced the IT consultant to hand them his system’s secret encryption keys. That’s right, El Chapo’s once-invincible encrypted communications system was brought down because cryptographic best practices were not followed, namely: segregation of duties (the person who has access to the data should not have access to the keys and vice versa).
To circle back to the Marriott/Starwood Resorts data breach, in a statement they noted that, “for some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”
They can be lauded that the information was encrypted, but as they can’t rule out that “two components needed to decrypt” were not taken, this likely means that the encryption keys (one of the needed components for decryption) were possibly taken.
Let’s face it, if the encryption keys were properly managed, the potential for them being stolen along with the data would be highly unlikely. In speaking about the massive breach, John M. Simpson, Consumer Watchdog's Privacy and Technology Project Director, put it bluntly: “Currently many companies opt for inadequate data security because it's cheaper than the consequences of a data breach.”
If we are to get to a place where the data breach headlines become more scarce, it will be because companies take data security best practices seriously; not because we arm the IT staff with the latest data security wiz-bang.
That said, innovation in cybersecurity is essential. Not one dollar of the $5.3 billion invested in cybersecurity products last year should have gone elsewhere. We must make data security easier to deploy and more comprehensive in scope.
But if all companies do is chase the next hot tool without nailing down the fundamentals, the headlines will just keep coming. We must master the fundamentals and only then look for ways to make our work more efficient.