Logs, logs, and more logs: They bury our sys admins charged with protecting our networks. The larger the company, the more data there is to process. Sorting out the false positives from those requiring immediate attention is key. We can do this by focusing on what our users are doing.
We are all thankful for the plethora of tools that allows us to consume the myriad of logs and help us, the mere human element in this ecosystem, make sense of the information buried within them. And while it is good to know who is tapping your perimeter, it is just as important to know what is going on within your company and to recognize the indicators that an incident is about to become your next security event.
Keep an eye on the humans in the network. Detecting that anomaly early to thwart a future activity is critical, as we are all aware of how destructive disruption can be to a company. Having your network taken down is, by all measures, disruptive.
The recent IBM Security Services 2014 Cyber Security Intelligence Index indicates a startling 95 percent of all security incidents are at least in part a result of human error. IBM explains how misconfigurations, poor process/procedures surrounding user IDs and passwords, and lost devices are among the many avenues to data compromise being exploited by criminal elements. The report cites that the most prevalent contributing human error is double clicking on an infected attachment or unsafe URL.
Partners Also Have Access
In May 2014 a major wireless provider noted that they had experienced a security issue involving customer personally identifiable information (PII) and configuration data. According to the breach notification letter provided to the California Office of the Attorney General, sometime between April 9 and 21, 2014, employees of the company's service provider (an unidentified partner) worked their way through the security protocols (violating the privacy and security guidelines) and accessed individual user accounts in an effort to obtain "unlock codes." While doing so, these individuals also accessed customer information that included the individuals' dates of birth and social security numbers. Those within the security industry know PII that includes name, date of birth, and social security number are the cream of the crop for criminals who wish to monetize for both fiscal identity theft as well as income tax refund identity theft. While this breach was US-centric, it begs the questions: Who has access to your customers' data? Who are your partners? Do your partners have the same level of access as your staff? Is the security at your partners' sites on the same level as yours? These are all factors within the human element that need to come into play to mitigate risk.
Protect the Crown Jewels of the Infrastructure
When you find yourself within the target of a criminal element conducting surveillance of your network, it is already too late to put your incident response plan or your disaster recovery plan together. This was the lesson recently learned by Code Spaces, a code hosting and software collaboration platform. In June 2014, the organization was subjected to a DDOS attack. Simultaneously, the company's control panel on a third-party service provider was accessed, indicating Code Spaces' infrastructure had suffered a network compromise and their ability to control their own environment was severely challenged. The intruder reached out and demanded a "ransom" to release Code Spaces. As the company worked to regain control of their infrastructure and customer data, the intruder began destroying customer and company data. Code Spaces' website announced that they "will not be able to operate beyond this point, as the cost of resolving this issue...puts Code Spaces in an irreversible position both financially and in terms of ongoing credibility." Put more plainly, they are out of business. Sadly, some of their clients whose data or runtime applications that were hosted on that site may also have been irreparably harmed.
Disaster Recovery Is Not Just an Exercise
The human element must be factored into the security architecture of every company and investment. Ensure the processes and procedures created to protect the company and customers are checked, tested, and retested regularly. Furthermore, disaster recovery processes and procedures should be in place and tested, with the goal of being able to survive the most catastrophic scenarios. The risks introduced by humans in the enterprise can be mitigated with just a little advance planning and preparation.