Get used to it?: Mega breaches
How can we overcome data breach fatigue and restore trust in business and government's ability to protect personal data? Lee Sustar reports.
et used to it?: Mega breaches
Call it shock and yawn.
Amid widespread cynicism about mass cybersecurity failures, IT security pros, analysts and vendors are scrambling to develop the strategies, technologies and tools to plug the leaks today and develop long-term approaches to prevent similar collapses in the future.
Conversely, cybercrooks, hacktivists and spies won't give up just because they encounter new obstacles, of course. Nevertheless, cybersecurity practioners contend that the risk of mega breaches can be contained – but only if Corporate America and the government dedicate the right personnel to meeting the key objectives – and provide the resources they need to succeed.
Don't expect any tech-based quick fix, cautions Andrew Plato, president and CEO of Anitian, a Beaverton, Ore.-based cybersecurity consultancy. While new, smarter endpoint products are promising, “they demand a lot of administrative overhead to keep them running,” Plato says. “The long-term answer is security analytics, which is an emerging class of technologies that unify multiple security controls, along with threat intelligence, into a cohesive, enterprise-wide approach.”
Such a strategy has to begin with the recognition that 100 percent security is impossible says Lillian Ablon, an information systems analyst who studies data breaches for the Rand Corp. at the company's Santa Monica, Calif., headquarters.
Defenders need to think about making cyberattacks expensive in terms of time and costs, she says. In so doing, organizations can make it more likely that cyberattackers will turn to other, more vulnerable businesses. “It's like the saying, ‘you don't have to outrun the bear, you only have to outrun your friend,'” she says.
Lillian Ablon, information systems analyst, Rand Corp.
Ben Knieff, senior analyst, Aite Group
Robert Liscouski, founder and managing partner, Integrated Strategies Group
Andrew Plato, president and CEO, Anitian
And despite the mega breaches, soft targets abound across Corporate America, says Larry Ponemon, chairman and founder of the Ponemon Institute, a Traverse City, Mich.-based research think tank dedicated to advancing privacy and data protection practices. According to a recent Ponemon study of breaches, 55 percent of large organizations surveyed said that top management was very concerned about cybersecurity in the wake of the Target breach. But, that means that nearly half were not – which may explain why so many companies were taken down so quickly.
Some organizations shrug their shoulders and see breaches – including those with losses of one million or more records – as a cost of doing business, says Ponemon, who for the past 12 years has tracked 1,600 mega breaches. But, even a hyper-vigilant organization with almost limitless IT resources can still get hit, Ponemon says, pointing to JPMorgan Chase, which had data from 76 million households and seven million small businesses exposed in a data breach last year. “They were not able to contain what some would argue was a fairly unsophisticated malware attack,” Ponemon says.
Today, the surprise over the Target data exfiltration debacle and the titillation over the Sony email leaks are long gone, having given way to a steady drone of mass data larceny at retailers Michaels, Home Depot, Staples and Neiman Marcus. The 4.5 million records compromised at the UCLA Health System barely made national news, overshadowed as it was by the colossal breach of Anthem, the nation's second-largest health insurance company, which at 80 million records exposed was nearly 20 times larger. Amid that onslaught, who remembers the 600,000 debit and credit card records exposed in the Dairy Queen breach of 2014, or the 33 PF Chang restaurants that exposed similar data that same year?
The wave of retail breaches came as a surprise even to experts, says Rand's Ablon. “Our hypothesis at the time was that mega breaches were far and few between, largely because the black markets operate on a traditional supply-and-demand basis,” she says. “If the market is flooded with a bunch of data, it drives demand down.”
But now criminal organizations are apparently more sophisticated in finding ways to monetize such data. In any case, government-backed hackers will continue to ramp up their attacks as their goals are different, Ablon says. Given their superior IT firepower, state-backed cyberwarriors are likely to be able to punch through even the strongest defenses, she says.
That's bad news for the U.S. government. When headlines blared in June about the sweeping data compromise at the federal Office of Personnel Management (OPM), where personal data on 22 million current and former employees were exposed, there was an air of inevitability surrounding it, says Robert Liscouski (left), a former Department of Homeland Security (DHS) official who now heads the Integrated Strategies Group, a Washington, D.C.-area security consulting firm.
The breach at OPM may be a bigger event than Edward Snowden's exposure of NSA actions, Liscouski says. “It's given [the attackers] every conceivable vulnerability on every person in that data breach.”
Liscouski himself still hasn't gotten any formal notification from the federal government – not even a generic form letter – advising him that his personal data was compromised in the OPM breach. He argues that the full impact of that breach is still unappreciated, which he attributes to both a low-profile approach by the Obama administration as well as a post-Target “numbness” to such losses.
With OPM data, Liscouski says, foreign governments can check individuals' security authorizations conducted through that department against a list of U.S. embassy personnel. “If they're working in the embassy but they're not on the OPM records, it means they were cleared by some other government entity. That means they might not be just a commercial officer or a customs attaché.”
What's more, the exposure of biometric data will compound the problem, Liscouski says. “How do you replace an iris scan?” In the short term, the focus will have to be on risk management and containment while business and governments roll out more comprehensive defenses, he adds.