Security breaches are on the rise. Yet as security experts face ever more complex and challenging threats, is there a risk some of the basic components of IT security are being overlooked? As recent breaches have revealed, not only are many security experts guilty of focusing on the bright shiny new products while overlooking the more mundane evolutionary upgrades of traditional defences, but they are also failing to comply with the most robust global data security standard available, namely PCI DSS.
Of course, security threats are constantly changing – but is that a reason to ignore the first principles of IT security: assessing vulnerabilities, hardening the infrastructure, and checking for unexpected changes? As Mark Kedgley, CTO, NNT asks, why are so many IT security experts intent on looking for footprints in the garden when the front door is wide open?
Security breaches are on the rise. Indeed, Experian’s 2014 Data Breach Industry Forecast¹ predicts that new security threats and transparency regulations will make 2014 a “critical year” for data breaches and warns that organisations need to be better prepared. So what’s going wrong?
IT security is certainly a tough job. From the relentless introduction of new threats, to the escalating impact of any breach in a 24×7, joined-up economy, those tasked with protecting business-critical data have the challenge of juggling routine, day to day protection requirements with the need to prevent ever more innovative hacking attempts.
Sadly, however, recent high profile breaches would suggest that the routine, tried, trusted and proven security activity is being overlooked. Why are so many security experts spending more time, money and effort attempting to prevent esoteric potential threats by, for example, tracking subtle network activity changes or signs of unexpected increases in data storage, than checking the AV patches have been applied? Or actively seeking out innovative anti-phishing appliances, while failing to comply with proven data security standards?
Given the experience in recent months, second guessing the latest and most fashionable security issue is not proving a successful anti-breach strategy.
It may seem important to keep up to date with the latest threats but, take a step back: is it really sensible to be checking for new footprints in the garden that may, just may, suggest a risk of attack, when the front door is wide open, the windows unlocked and the attack Rottweiler has been replaced by a Cockerpoo?
Clearly not. Yet in the world of technology in general, and IT security in particular, the lure of the new is compelling. So how can the industry address this rising tide of security breaches? The answer may not appeal, but companies have got to go back to basics and create a steady, known and secure environment.
The concept is simple: if an organisation cannot clearly understand what comprises a good, secure environment, it is impossible to ever identify something bad. And that is the heart of the problem facing too many organisations today: without a good, secure and optimised environment it is impossible to spot the changes that would indicate some form of security attack is underway.
Following the guidance of trusted standards – most notably the Payment Card Industry Data Security Standard (PCI DSS) – organisations can quickly evolve from today’s anarchic approach to creating a far more secure environment. Step one: deploy a firewall and make sure it is working correctly. Step two: harden the infrastructure to significantly reduce the threat surface. Step three: ensure the tools are in place to check any changes in the scope systems, from servers and network devices to databases, and respond to these changes immediately.
Hardening the infrastructure demands a good vulnerability assessment; evaluating the organisation’s unique attack surface and taking the right steps to close off any problems, including well known attack modes of operation. It does not, however, despite recent trends in the industry, mean simply flagging the top five vulnerabilities in a surface threat analysis. This attitude is disingenuous: it still leaves other threats at large and, to be frank, patching five out of six holes in a boat may just give enough time to abandon ship, but that ship is still going to sink. Some vulnerabilities are obviously more acute than others – but that does not mean ignoring low priority vulnerabilities or opting to leave known weaknesses in place for a few more weeks or months.
Of course, even applying PCI DSS measures correctly is no guarantee the company will be immune to attack. But, critically, it does mean the business will be well armed with tools that can prevent the breach and raise the alarm at any attempt. If followed to the letter – with both technology and culture – it should be impossible to fall prey to a Target-style breach that led to malware being undetected for weeks while credit card details were siphoned off.
There is no simple approach to IT security – no single product that can guarantee corporate data is kept safe. IT security is constantly evolving and no one appliance, box or software product is going to deliver the silver bullet – however good the marketing hype. Yes there are great new products being developed to deal with specific new threats, such as anti-phishing or anti-malware appliances. But using these in isolation is not going to safeguard any IT infrastructure because there is always more than one security threat to address; a multi-faceted, joined up approach is essential.
With no ‘IT security on a plate’ option, organisations require skills, expertise and, critically, rigour. It is only by following proven security standards such as PCI DSS, hardening the IT infrastructure and continually checking to ensure the severs, network devices and database systems are in a known state that an organisation can minimise the risk of breaches and, critically, ensure problems are immediately addressed and resolved.
Sounds dull? Maybe. But how much fun is a major breach that results in the theft of thousands of customers’ credit card details or critical corporate IP? For those that have experienced a security breach, the pleasure of playing with a new, shiny security toy rather than employing best practice was never worth with risk. So before heading out to look for those footprints in the garden, check the front door is shut and the windows locked!