A data breach, or any security incident, really, should never be a point of schadenfreude or the start of the blame game. No matter how secure you are in your security plans, this is a good opportunity to look for lessons you can apply to your organization.
When a data breach hits the news headlines, it’s easy to fall in the trap of pointing out errors. “If only the company had done this.” “The organization ignored warnings that something was wrong.” Hindsight is an odd thing. Once something has happened, we all know what should have been done to prevent the damage. But as security professionals know, it’s never that obvious during day-to-day operations.
What are some of the lessons we’ve learned in recent weeks? The basics still matter. Patching remains paramount. Even though there are zero-day attacks, it’s important to take steps to protect against known vulnerabilities. Password security is still critical.
The St. Louis Cardinals managed to get into the Houston Astros database containing player statistics because the team had a list of passwords used by a former employee. The employee decided to keep using the same password when he went to the new—rival—organization. We can be pretty sure he won’t be making that mistake again, and you can use this as a lesson on why employees should be careful about their passwords.
Or better yet, this may be exactly what you need to get the buy-in to have two-factor authentication deployed throughout the organization. That would make it harder for attackers to break in with weak or compromised passwords. A recent research project by Recorded Future found login credentials for government employees and contractors. Recorded Future uncovered nine Department of Energy domains, seven Commerce Department, and others from the General Services Administrations, Veterans Affairs, Agriculture, and others. None of them appear to require two-factor authentication on their virtual private networks (VPNs). If the login credentials were current, this could result in a serious breach.
Incident response and communicating what you are doing after the breach is critical, and not just for stopping the data leak and fixing the problem. End users and consumers are increasingly getting cynical about their data because of all the recent breaches. Making sure there is a clear communication plan and a coordinated response that looks for, isolates, and stops the attack as soon as possible will go along way towards minimizing the damage.
“Businesses can minimize risk by creating a well-coordinated, clear emergency plan. The alternative will only hurt public perception and slow recovery,” said Jim Ambrosini, a managing director with CohnReznick Advisory. Having a formal response plan in place helps create confidence in the company’s ability to detect security breaches and protect against further damage. It also helps restore trust and credibility with the public, he said.
A common refrain heard with the OPM breach was, “If only the data had been encrypted…” Well, yes, encryption is an important piece of data security, but people also need to understand that data needs to be decrypted when people need to work with it. In the case of OPM, there were lots of people who legitimately accessed the personnel data, and would have needed access to decryption, and all signs point to the fact that the attackers had the sophistication to get the proper level of authorization to get at the decrypted data.
As Tenable Security’s security strategist, Cris Thomas has an interesting summary of lessons to learn from OPM. He discusses the importance of knowing what the organization has—having a detailed and up-to-date inventory of all hardware and software assets—in order to track activity. “This gives you a baseline for your scope and attack suface; you can’t defend what you don’t understand,” Thomas wrote.
Another lesson was to give users access to only what they need. This is related to the earlier passwords lesson. System administrators should not be using root access on a regular basis as it appears was happening at OPM.
Remember that every attack requires multiple steps. Someone getting in isn’t automatically a disaster…the attacker has to either get the data out of the network or cause some kind of damage. The intrusion kill chain, originally defined by
Lockheed Martin talks about seven steps to successful attacks. This is the time to be thinking about your defense-in-depth strategy. And that’s the biggest lesson of all: there is no one thing you can do defensively. It’s a combination of steps, and it all starts with the basics.