Recently, a new set of OpenSSL vulnerabilities was announced and a new set of patches were released. Naturally, visions of the dreaded Heartbleed bug sprang to mind — though the fresh flaw was not quite so fatal as that. But if our secure sockets layers suddenly aren’t so secure, what are we to do?
At such times, it’s important to put the entire concept of data security into perspective. We know that the majority of external breaches are enabled due to issues that all organizations have control over; for example, lack of visibility into (or failure to resolve) misconfigured or vulnerable systems. Additionally, almost 100% of external breaches use valid credentials, so it is imperative that organizations habitually implement the concept of least-privileged access and monitor all user activity, especially with confidential data, which absolutely must be encrypted whether at rest or in motion. But even with some of the best defensive and preventative controls in place, the reality is that everyone has a weakness, regardless of whether it is ever maliciously exploited. And all organizations will probably eventually face a determined adversary who will gain access to critical data and systems. This is where organizations need to invest in compromise management, incident response, and forensic solutions to quickly identify policy violations, misuse, and security failure.
If you look at the federal Office of Personnel Management (OPM) breach, several factors come to light. While there is no guarantee that this breach wouldn’t have occurred even if the office had implemented all necessary controls, it is painfully clear that OPM suffered from a lack of many basic security protocols and principles. According to some reports, they didn’t even have an IT security team until 2013; and even then, the office failed to employ basic security measures such as data encryption. It is clearly a case of negligence, if not out right incompetence, that enabled a malicious actor to compromise OPM systems.
Security should focus on limitation, not elimination. You can never entirely eliminate all threats, but you can limit the potential for a successful compromise — and when a compromise does occur, you can limit its impact on the organization. Security should really be about resiliency.
Unfortunately, against the backdrop of an increasingly hostile threat environment, adoption of new technologies that challenge traditional security solutions (such as cloud infrastructure), and the emergence of highly skilled, well-funded nation-state adversaries, all organizations must realize that threat is imminent and the impact of a breach could be devastating.[su_box title=”About Amrit Williams” style=”noise” box_color=”#336588″]Amrit Williams has over 20 years of experience in information security and is currently the Chief Technology Officer of CloudPassage. Amrit has held a variety of engineering, management and consulting positions prior to joining CloudPassage. Previously, Williams was the Director of Emerging Security Technologies and CTO for mobile computing at IBM, which acquired BigFix, an entperprise systems and security management company where Wiliams was CTO. Prior to BigFix, Williams was a research director in the Information Security and Risk Research Practice at Gartner, Inc. where he covered vulnerability and threat management, network security, security information and event management, risk management, and secure application development. Before IBM, Williams was a director of engineering for nCircle Network Security, and undertook leadership positions at Consilient Inc., Network Associates, and McAfee Associates, where he worked to develop market leading security and systems management solutions.[/su_box]