2014 is being called “the year of the breach” due to a number of businesses falling victim to major cyber attacks.
During the past year, we have seen a particular attack vector in the UK that is frustrating many security experts – web attacks where the infiltration method and the exfiltration method are one and the same. Attackers are siphoning data over days, months, and in many cases years, incidents whose scale adds to the fear of social engineering becoming a prime method of introducing malware into an organisation. This presents organisations with the challenge of how best to deal with targeted attacks. The frequency of data breaches we have seen over the past year raises the question of whether hackers are becoming increasingly sophisticated in their attacks, or in fact whether businesses are dropping the ball due to the complex nature of managing their networks, applications, databases, and technologies when it comes to security.
Free eBook: Modern Retail Security Risk – Get your copy now.
Following this year’s data breaches, there are some mistakes that we can learn from as we go into the new year.
1. Misconfiguration issues: These include weak passwords, using the same password for multiple logins, failing to configure a firewall properly so that it’s blocking outbound traffic, running remote access software even if it’s not needed, failing to run up-to-date anti-virus software, and enabling any user to access specific systems even if they do not need access. These areas are easily fixable, but businesses continue to overlook them, which makes them an easy target for attackers.
2. Lack of resources: On many occasions, we have seen in-house IT teams purchase a security technology only to realise when it arrives that they don’t have the time or manpower to make sure the technology is installed, updated, monitored and continuously working properly. The product then begins to collect dust as it sits on the shelf while the business’s data remains unprotected, or even worse, a false sense of security is created around misconfigured or misunderstood technologies.
3. Security weaknesses across third party providers: When organisations outsource their IT functions to third-party providers, in many cases the providers use remote access software to help fix technological problems within their infrastructure. Unfortunately, many businesses may be unaware that their third-party provider isn’t adhering to security best practices such as using strong passwords and two-factor authentication, which can in turn make those businesses vulnerable.
4. Poor application security: The frequency of web attacks isn’t hitting home for many organisations. According to the Trustwave Global Security Report, it was found that 96% of applications scanned contained one or more serious security vulnerabilities, with 4 out of 5 businesses admitting that they had rolled out projects that contained known security issues. Organisations must run regular testing and make sure that security is included in the development cycle.
5. Lack of segmentation: Too often businesses mix all of their networks together so that all their data, sensitive and non-sensitive, flow through the same networks. This setup enables criminals to access sensitive data more easily since they only need to break into one network to get it. Businesses should segment their networks so that those carrying sensitive information are separated from those with non-critical information.
6. Non-existent or unpractised incident response readiness plans: When an attack happens, many businesses don’t know who to call or what to do next, not to mention how to contain it, how to minimise the damage, or how to get back to business as usual. Implementing and testing an incident response readiness plan can help businesses identify and remediate security weaknesses, detect compromises faster, and minimise the damage from a breach. Findings from the 2014 Trustwave Global Security Report showed that on average it took organisations that self-detected a breach an average of one day to contain the breach, whereas it took organisations 14 days to contain a breach when it was detected by a third-party such as law enforcement or a regulatory body.
As businesses head into 2015 and beyond, they must make sure they don’t get sloppy with their security. Businesses and third-party providers must use methods such as complex passwords and two-factor authentication and must follow security best practices, such as:
– Perform a risk assessment to identify where their valuable data lives and moves.
– Perform vulnerability scanning on a regular basis (at least quarterly) across all assets followed by penetration testing for their most critical assets to identify and remediate security weaknesses.
– Deploy technologies to protect all attack vectors and augment their in-house staff by partnering with a third party team of experts to help ensure they have enough manpower and skillsets to make sure those technologies are installed, fine-tuned and continously working properly.
– Create and practice an incident response plan so if there is a breach, the business knows what steps to take to contain it and minimize the damage.
By Michael Aminzade, VP Global Compliance & Risk Services, Trustwave
About Trustwave
Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than 2.7 million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit www.trustwave.com.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.