The Lessons of a Tough Year in Cybersecurity
Cybersecurity has become a top priority for organizations across the country, but that may not be enough. "Security needs to be a national priority," said author and expert Brian Krebs.
Speaking at the CDW Managing Risk Summit in Las Vegas, Krebs and other experts observed that as breaches have had an increasing impact in recent years, organizations have taken security far more seriously. Noting the 2013 Target breach that led to the resignation of Gregg Steinhafel, the company's president and chief executive, Krebs said: "Any time a data breach has the capacity to show the CEO the door, it tends to catch your attention."
Bob Bragdon, publisher of CSO, noted that Steinhafel wasn't the only executive to face such consequences. Chief executives at Equifax and Yahoo also departed in the wake of major breaches at their companies.
While these breaches were damaging for the companies that suffered them, they provide insights that can help others better protect their data and respond to attacks more effectively.
SIGN UP: Get more news from the BizTech newsletter in your inbox every two weeks!
Organizations Must Deal with the Inevitability of Breaches
One of the key lessons of the massive breaches of 2017 is that it is essentially impossible to keep persistent, skilled attackers from penetrating an organization's exterior defenses. CDW research indicates that 46 percent of organizations have experienced a serious data breach, while 22 percent have reported a near breach in the past 12 months.
Further, Sadik Al-Abdulla, director of security solutions at CDW, stated that in the first 60 penetration tests he conducted as a security engineer, he was successful in taking full administrative control of the customer's network in all of them — and in 59 attempts, he was able to do so within an hour. The lesson? Skilled, dedicated attackers will find a way past nearly any defense. Organizations should work to keep threats out, but they also must have a plan for how to respond when an attacker gets in.
Al-Abdulla recommended a four-step approach to security:
- Accept that a breach is inevitable
- Design defenses for post-breach detection
- Design defenses to limit the impact of a breach
- Plan for breach response
Krebs' prescription for an effective defense largely follows a similar approach. The first step, he suggested, is to know that if your goal is only to keep attackers out of your IT environment, you've already lost the game. "If you still think you can keep the bad guys out, you probably don't know enough to know when they get in," he said.
A more effective strategy, he said, is to anticipate when and how a breach might occur and to look for those signs to determine if one has taken place. Then, the response must be quick and effective. "Companies need to spend a lot more time anticipating these breaches and responding to them, instead of trying to prevent them," he said.
Passwords Prove to Be Weak Links
Both Krebs and Al-Abdulla identified passwords as a major vulnerability for many organizations. "It's 2018," Krebs said. "How are we still so reliant on passwords? They're the source of so many cyberbreaches."
Al-Abdulla noted that many organizations establish password policies that allow users to rely on weak or easily guessed passwords. One strategy for addressing the vulnerability of passwords is to implement two-factor authentication, which uses an element that the user knows (such as a password) in combination with an element that the user carries (such as a token or smartphone) or an element that is unique to the user's person (typically, biometrics such as fingerprints or retinal patterns). Implementing two-factor authentication requires attackers not only to steal or guess a user's password, but also to compromise a second factor that identifies the authorized user, a much more difficult task for attackers to achieve.
However, not every organization has the resources to implement two-factor authentication, and it's not appropriate for every application. In such cases, Al-Abdulla suggested a strong password policy that uses passphrases that are more difficult to guess.
Phishing remains another dangerous attack vector. Many attackers use a target's personal information to get him or her to click on a malicious link or open a malicious attachment. This was the key way in which attackers were able to compromise the defenses of Deloitte in 2017. "All it took was one guy to get phished" for attackers to gain administrative access to Deloitte's systems, Krebs said.
Krebs suggested that organizations should make greater budgetary considerations to address the need for cybersecurity professionals to defend against these sophisticated attacks. Al-Abdulla added that more effective training can help users identify potential phishing attacks and avoid them. "If we keep letting the people be the weak point in our defenses," he said, "attackers will keep exploiting them."
Encryption and Patch Management Can Help Mitigate Attacks
In addition to security policies to defend against password-based exploits and phishing attacks, experts at the CDW Summit also recommended solutions to help deal with security breaches.
Elton Fontaine, Palo Alto Networks' director of sales engineering for the Western U.S., recommended Secure Sockets Layer decryption as a tool for breach defense. Attackers hide malicious payloads among the increasing amount of network traffic that is encrypted. Using SSL to decrypt this traffic can help organizations detect attacks.
Fontaine recognized that implementing SSL decryption can pose some challenges, such as network performance degradation. To deal with such problems, he suggested that organizations focus on high-priority traffic that is often used to deliver malicious payloads, such as email or social media traffic. This will address the most common threats quickly, he said.
Patch management is another weakness that attackers often exploit. Massive ransomware attacks in 2017, fueled by WannaCry and NotPetya malware, relied on unpatched vulnerabilities. In many IT environments, some systems are difficult to patch. In this case, segmentation can help IT teams prevent attackers from using access to one system to help them compromise connected systems, which often contain more valuable data.
Establishing a defense that strives to keep attackers out, but also limits the damage they can do in the event of a successful breach, is essential in the modern threat environment.
For our full array of articles and videos from the conference, check out BizTech’s coverage of the CDW Managing Risk Summit here.