Following the news that OnePlus has confirmed that up to 40,000 customers have been affected by a data breach, IT security experts commented below.
Dan Panesar, VP EMEA at Certes Networks:
This cybersecurity breach is another in a long line of incidents that show that organisations are not taking the protection of their customers’ financial data seriously. It certainly begs the questions why it was so easy for hackers inject code into the OnePlus website and why the breach took nearly two months to detect.
This highlights, yet again, both that responsibility for security is not centralised but fragmented across multiple silos and that security infrastructure remains unnecessarily complicated. Models have become more and more complex and dependent upon a huge array of disparate technology teams – from networking to cloud, application to management. The result is a lack of consistency that creates gaping holes in the security infrastructure; holes that are being routinely breached by ever more sophisticated and motivated hackers.
Organisations need to bring their approach to security up to date as it is clear that the current security mindset is not working. Organisations need to think beyond the ‘protect’, ‘detect’, ‘react’ approach which sees hackers on average spend over 100 days syphoning of sensitive data from across compromised networks. Instead the model needs to include a step that limits the damage – ‘containment’.
The best way to achieve that is to adopt a ‘Zero Trust’ model and accept that access or ‘trust’ once within any part of the extended enterprise must be strictly limited. This approach, critically, decouples security from the complexity of the IT infrastructure and addresses user and application vulnerability.
Shift the focus from infrastructure to trust and it doesn’t matter how complex technology has become, or becomes in the future, the security model remains simple and hence both manageable and relevant.”
Tyler Moffitt, Senior Threat Research Analyst at Webroot:
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.