When large-scale data breaches occur, it makes headline news and everyone talks about how bad the problem is. People get very uncomfortable; they feel vulnerable. Therefore, it is common practice to quickly identify one vulnerability as the cause of the compromise, and the company that experienced the breach offers a solution. Consumers immediately feel better, believing that a fix has been provided and that it won’t happen again in the future. However, these sentiments are not based in reality.
It is never a failure in one area that causes a breach – it is many vulnerabilities together that allow the damage to occur. If an organization looks for the smoking gun, or for a single cause of the compromise and fixes only that problem, then its assets will be compromised again.
It is important to point out that no matter what an organization does, they will be targeted, they will be attacked and they will be potentially compromised. Saying an organization will never suffer a security breach is as naïve as saying that a person will never get sick. Everyone knows they will eventually get sick. We don’t approach life believing we will never become sick; instead, most people seek to minimize the frequency and impact an illness has on their lives. Organizations need to take the same approach to security. They have to recognize that attacks will occur and focus on minimizing the frequency and overall impact it has on their customers.
For organizations to provide proper security, let’s look at why breaches occur and, more importantly, what organizations can do to protect themselves.
First, focus on asset inventory. An organization cannot protect what they do not know is plugged into their network. An organization must have an accurate, up-to-date network diagram, translated into a network visibility map, showing all devices that are plugged into the network, including ports and services that are running on each system.
Second, configuration management must be applied to all devices connected to the network. Weaknesses in one system are often used as a pivot point to compromise and break into other systems on the network. It only takes one misconfigured device from one vendor to weaken the overall security posture of an organization.
Third, strict change control must be applied for all devices. All changes must go through the change control board (CCB). If changes are made to an asset on a network, without verification of the change, it could have a negative impact on security. This includes all devices – even devices controlled by outside vendors. If a vendor makes a change to a device on an organization’s network that they are not aware of, it could be used as an initial point of entry by an adversary.
Fourth, detailed data discovery needs to be performed to identify where critical data is located within an organization. Adversaries are after critical, sensitive information. If an organization does not know where their intellectual property is located, then they cannot protect what they do not know about. Many organizations know the primary location of their critical data, but they do not realize it resides in other areas or stored unencrypted in memory on front-end systems.
Fifth, a key motto with security is prevention is ideal, but detection is a must. Organizations need to recognize that today’s attacks are stealthy, targeted and data-focused, which means they will not be able to prevent all attacks. Timely detection is critical. Careful analysis of the logs with a well-deployed SIEM (security incident and event management) system can identify anomalies and allow more timely reaction to a compromise.
Finally, organizations need to reduce the impact of an attack. This is done through highly segmented and firewalled VLAN’s. In many organizations, once an attacker compromises an internal system, they can access any other device on the network. This creates too much visibility for the adversary and leads to large-scale damage. Networks need to be broken down into different trust levels, segmented and filtering traffic between each of the different networks.
In addition to heavily segmented networks, to reduce the impact of an attack, organizations need to focus on supply chain verification. As organizations rely more on devices that are manufactured by third parties, they need to verify the security of those devices and where the components came from. An organization is only as strong as its weakest link, and adversaries are targeting the supply chain and using that as a point of compromise.
While security takes energy and effort, if organizations focus in on the right areas they can greatly reduce the impact of an attack. One of the best game changers for an organization is to make sure the business is aligned with security, and everyone has a unified focus. To do this, create a single slide that has three columns on it. In the first column list the critical assets for the organization and the business processes that support it. In the second column list the threats that have the highest likelihood of occurring. In the third column list the vulnerabilities that have the biggest impact. By creating this chart, an organization can identify its biggest exposure points and can use this as the roadmap for improving security.
Dr. Eric Cole is an industry-recognized security expert with over 20 years of hands-on experience. He is a Fellow and Cyber Defense Lead at the SANS Institute, and founder of Secure Anchor Consulting, where he provides state-of-the-art security services and expert witness work.