According to the Open Security Foundation, three out of 10 of the all-time worst security breaches happened this year. That includes 173 million records from the NYC Taxi & Limousine Commission, 145 million records at Ebay, and 104 million records from the Korea Credit Bureau. And that’s not counting the 1.2 billion user names and passwords reportedly stolen by Russian hackers, or the 220 million records recently discovered stolen from gaming sites in South Korea.
2014 is well on its way to replace 2013 as the highest year on record for exposed records, according to the Open Security Foundation and Richmond, Vir.-based Risk Based Security Inc.If we learn from our mistakes, then this year should be a banner year in security education.
Here are some lessons:
1. It’s time to take staffing seriously
The biggest security hole in information security might not be technical at all.
“Roughly 40 percent of security roles are vacant in 2014,” said Jacob West, CTO of Hewlett Packard’s Enterprise Security Products. “And when you look at senior security roles, that vacancy rate is nearly 49 percent. No matter what technology we use, no matter how we try to secure our systems, if we’re going into this war with almost half of our army unstaffed, we’re going to see our adversaries be successful.”
West was referring to a study published this spring by the Ponemon Institute and sponsored by HP, which also showed that 70 percent of respondents said that their security organizations were understaffed. The chief reason? According to 43 percent of respondents, the organizations weren’t offering competitive salaries.
Companies might want to reconsider their security staffing budgets in the wake of another Ponemon study, sponsored by IBM and published in May, which showed that the average total cost of a data breach increased 15 percent to $3.5 million, and the average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9 percent from $136 in 2013 to $145 in this year’s study.
2. Know your code
Over the past 10 years, many organizations have adopted software security best practices, building in security at a fundamental level.
However, that only applies to code they write themselves.
“One of the big points that was really brought to light this year — and vulnerabilities like Shellshock and Heartbleed really made this point — is that enterprises don’t write the majority of software themselves,” said HP’s West. “Software is in fact composed rather than written. We take commercial components and open source components and build a little bit of proprietary on top of that.”
As a result, some organizations spent weeks – even months – trying to inventory their systems and figure out where they’d used the vulnerable version of SSL.
Organizations need to start with a thorough understanding of what applications they’re using, where and how they’re using them, and their relative importance. Automated scanning systems might help with some of this, but at the end of the day, “the rubber has to hit the road,” West said. “It takes human effort.”
3. Pen tests are lies
Penetration tests are a common part of security audits. In fact, they’re required under the Payment Card Industry Data Security Standard.
“Every single company that’s been breached has had a penetration test report that says that people can’t get in – or if they can get it, it’s not important,” said J.J. Thompson, CEO of Rook Security, a penetration testing company in Indianapolis.
So why aren’t penetration tests exposing potential security holes so that companies can fix them?
“It’s very simple,” said Thompson. “Penetration test reports are generally lies.”
Or, to be less blunt, penetration testers are more constrained in what they can and cannot do, compared to actual hackers.
“You can’t impersonate someone because that’s not how we do things here,” Thompson said. “You can’t set up a phishing site associated with a Facebook profile because that’s going too far.”
Actual hackers – who are already breaking the law anyway, by hacking into a company – might not be averse to breaking other laws, as well. A white hat security firm might be less willing to, say, get into a company by going after the systems of its customers or vendors. Or impersonate government officials, or damage equipment, or hijack actual social media accounts owned by friends or family members of company employees.
4. Physical security, meet cybersecurity
Agents of a foreign group recently went after an organization on the East Coast, circumventing firewalls, extracting data on its leadership, and getting information about upcoming events – and the facilities where those events would be taking place.
“Authorities believed it was part of the pre-operational planning of the group,” said John Cohen, who until recently was the anti-terrorism coordinator and acting undersecretary for intelligence and analysis at the Department of Homeland Security.
“There’s a blending together of physical security and cybersecurity,” said Cohen, who is now the chief strategy adviser at Frisco, Texas-based security vendor Encryptics LLC.
It can go the other way, too, with a physical break-in opening the way to digital theft via compromised equipment.
Enterprise security must become more holistic. The thieves who broke into a field office could have been looking for easy-to-fence electronics, or they could have been planting keyloggers.
5. Plan for failure, Part 1
“The way that I look at it, and the people I talk to on a day to day basis look at it, there’s a switch in mentality,” said Scott Barlow, the chair of the CompTIA’s IT Security Community and vice president of product management at Boston’s Reflexion Networks, Inc. “Businesses are assuming that their data will be exposed, or is already exposed, and they’re taking steps.”
Those steps include encrypting data on employee desktops, in file servers, even email.
And a process called tokenization replaces bank card numbers with randomly generated codes, or tokens, even before they leave point of sale devices. Only the payment processor knows the real numbers – the retailers get tokens, which are completely worthless to any hackers who break into their systems.
That turns the payment processors into targets – but then, they always have been.
“Guys are already going after us,” said Paul Kleinschnitz, senior vice president and general manager of Cyber-security Solutions for FirstData, which accounts for about 40 percent of the payment processing in the U.S.
Meanwhile, the Targets and the Home Depots will be insulated from the risk of losing the payment data.
“We are pulling that burden away form the merchants and managing it,” Kleinschnitz said.
6. Plan for failure, Part 2
If JP Morgan can be breached, every company is vulnerable.
“Even if you have the best security in place, there’s still a chance that you may be breached,” said Peter Toren, an attorney specializing in computer crimes at Washington D.C. law firm Weisbrod Matteis & Copley. Toren was also a federal prosecutor for eight years, in the Justice Department’s computer crimes division.
How a company reacts to that breach can make a big difference.
Both Target’s CEO and CIO lost their jobs this spring as a result of the problems the company had in dealing with the consequences of its 40 million payment card accounts breach late last year.
“It came out in drips,” said Toren. “It was the death of a thousand cuts.”
Companies need to be prepared to deal with a breach transparently and promptly – and preparations have to start long before a breach ever happens.
“They need to have a plan in place and work with a public relations firm beforehand,” he said. “Not just bring one in after the horse is out of the barn.”