In the wake of the Yahoo, Equifax, Whole Foods, Sonic Drive-in, Deloitte, Securities Exchange Commission, Viacom, Vevo… all in the last month, btw. I feel confident in predicting the future, there will be another major data breach this year.
Ok, so maybe those words aren't as surprising as they once were, and you're already annoyed about the clickbait title. Good. That means we've progressed in terms of our collective consciousness with respect to the realities of attacks and InfoSec risks. Just a few years ago, most of the organizations I worked with felt fairly confident in saying, "I have a firewall" or "we've never had an incident here." Times have changed. Good.
However, what hasn't changed, at all, are the commonalities amongst the majority of breaches, be they highly publicized or not. There's fundamental control breakdowns that inevitably exist, are eventually reported on, and debated at nauseum on CNN, Fox News, or whatever your favorite talking head platform may be. Here's where I earn my Doctorate in Fortune Telling. This next breach WILL involve:
- One or more unpatched systems
- Default or insecure configurations
- Some weak explanation on why their monitoring capabilities failed
- At least one third party relationship (e.g. a vendor)
Time and time again these same issues come up as root 'contributors' if not outright causes. Why? The momentum is shifting in many organizations towards a more proactive approach that would address these fundamental issues, we haven't hit a critical mass, not yet. Each incident the general public rightfully asks, "How could this happen?" or "How could this happen at BIG COMPANY?" The C-suite of the breach victim will release statements or make public appearances to re-assure us that this breach was unavoidable, that all reasonable measures had been taken, that these magical hackers are just too darn good, that it's not their fault. Negative.
Advanced Persistent Threats (APT) and Nation State actors absolutely exist, and at times may play a role in some of the well-publicized breaches, but overwhelming evidence points to these basic blocking and tackling functions as being on the critical path to a breach. To be clear, I'm not advocating you completely ignore the potential APT attack, rather I'm challenging your organization to more effectively prioritize the boring but important or the simple not easy risks. Many organizations fall victim to the line of thinking where if only they had the next latest and greatest tool/solution, they would be secure. The focus on Technology alone stands as the flaw in the approach. People, Process, and Technology. All must work in concert to meaningfully reduce breach risk.
In the midst of Cybersecurity Awareness month, consider my prediction and take action. Refuse to accept that your organization will be the next victim, that this new normal is inevitable and therefore pointless to fight against. Avoid chasing the next latest and greatest solution at the expense of the fundamentals. Invest your scarce resources smartly. Some quick wins you can execute on today:
- Patch something, anything in your environment today. Find that old Windows XP/Server 2003 host delivering the app that nobody uses anymore, the ancient firewall protecting the network that once was but is no longer.
- Read through your logs. Again any log will do, firewall, SPAM filter, domain controller, wireless controller. I'll even take a core switch. Do this every day for the next week, then once a week for the rest of your career.
- Run a vulnerability scan. Pick some hosts, make sure you have management approval, and find some technical weaknesses. Challenge yourself to apply remediation by the end of the month.
- Print out a list of privileged accounts, on your domain, in key applications, whatever. Do you know what they are? Do you know who they are tied to? Find out. Do this every month.
With quick wins comes an energy which you can then employ to viciously execute your strategic plan… you do have a strategic, comprehensive, prioritized, InfoSec plan… right?