Call it shock and yawn.
Amid widespread cynicism about mass cybersecurity failures, IT security pros, analysts and vendors are scrambling to develop the strategies, technologies and tools to plug the leaks today and develop long-term approaches to prevent similar collapses in the future.
Conversely, cybercrooks, hacktivists and spies won't give up just because they encounter new obstacles, of course. Nevertheless, cybersecurity practioners contend that the risk of mega breaches can be contained – but only if Corporate America and the government dedicate the right personnel to meeting the key objectives – and provide the resources they need to succeed.
Don't expect any tech-based quick fix, cautions Andrew Plato, president and CEO of Anitian, a Beaverton, Ore.-based cybersecurity consultancy. While new, smarter endpoint products are promising, “they demand a lot of administrative overhead to keep them running,” Plato says. “The long-term answer is security analytics, which is an emerging class of technologies that unify multiple security controls, along with threat intelligence, into a cohesive, enterprise-wide approach.”
Such a strategy has to begin with the recognition that 100 percent security is impossible says Lillian Ablon, an information systems analyst who studies data breaches for the Rand Corp. at the company's Santa Monica, Calif., headquarters.
Defenders need to think about making cyberattacks expensive in terms of time and costs, she says. In so doing, organizations can make it more likely that cyberattackers will turn to other, more vulnerable businesses. “It's like the saying, ‘you don't have to outrun the bear, you only have to outrun your friend,'” she says.
Lillian Ablon, information systems analyst, Rand Corp.
Ben Knieff, senior analyst, Aite Group
Robert Liscouski, founder and managing partner, Integrated Strategies Group
Andrew Plato, president and CEO, Anitian
And despite the mega breaches, soft targets abound across Corporate America, says Larry Ponemon, chairman and founder of the Ponemon Institute, a Traverse City, Mich.-based research think tank dedicated to advancing privacy and data protection practices. According to a recent Ponemon study of breaches, 55 percent of large organizations surveyed said that top management was very concerned about cybersecurity in the wake of the Target breach. But, that means that nearly half were not – which may explain why so many companies were taken down so quickly.
Some organizations shrug their shoulders and see breaches – including those with losses of one million or more records – as a cost of doing business, says Ponemon, who for the past 12 years has tracked 1,600 mega breaches. But, even a hyper-vigilant organization with almost limitless IT resources can still get hit, Ponemon says, pointing to JPMorgan Chase, which had data from 76 million households and seven million small businesses exposed in a data breach last year. “They were not able to contain what some would argue was a fairly unsophisticated malware attack,” Ponemon says.
Today, the surprise over the Target data exfiltration debacle and the titillation over the Sony email leaks are long gone, having given way to a steady drone of mass data larceny at retailers Michaels, Home Depot, Staples and Neiman Marcus. The 4.5 million records compromised at the UCLA Health System barely made national news, overshadowed as it was by the colossal breach of Anthem, the nation's second-largest health insurance company, which at 80 million records exposed was nearly 20 times larger. Amid that onslaught, who remembers the 600,000 debit and credit card records exposed in the Dairy Queen breach of 2014, or the 33 PF Chang restaurants that exposed similar data that same year?
The wave of retail breaches came as a surprise even to experts, says Rand's Ablon. “Our hypothesis at the time was that mega breaches were far and few between, largely because the black markets operate on a traditional supply-and-demand basis,” she says. “If the market is flooded with a bunch of data, it drives demand down.”
But now criminal organizations are apparently more sophisticated in finding ways to monetize such data. In any case, government-backed hackers will continue to ramp up their attacks as their goals are different, Ablon says. Given their superior IT firepower, state-backed cyberwarriors are likely to be able to punch through even the strongest defenses, she says.
That's bad news for the U.S. government. When headlines blared in June about the sweeping data compromise at the federal Office of Personnel Management (OPM), where personal data on 22 million current and former employees were exposed, there was an air of inevitability surrounding it, says Robert Liscouski (left), a former Department of Homeland Security (DHS) official who now heads the Integrated Strategies Group, a Washington, D.C.-area security consulting firm.
The breach at OPM may be a bigger event than Edward Snowden's exposure of NSA actions, Liscouski says. “It's given [the attackers] every conceivable vulnerability on every person in that data breach.”
Liscouski himself still hasn't gotten any formal notification from the federal government – not even a generic form letter – advising him that his personal data was compromised in the OPM breach. He argues that the full impact of that breach is still unappreciated, which he attributes to both a low-profile approach by the Obama administration as well as a post-Target “numbness” to such losses.
With OPM data, Liscouski says, foreign governments can check individuals' security authorizations conducted through that department against a list of U.S. embassy personnel. “If they're working in the embassy but they're not on the OPM records, it means they were cleared by some other government entity. That means they might not be just a commercial officer or a customs attaché.”
What's more, the exposure of biometric data will compound the problem, Liscouski says. “How do you replace an iris scan?” In the short term, the focus will have to be on risk management and containment while business and governments roll out more comprehensive defenses, he adds.
In the wake of the OPM losses, the federal government is pushing for a more aggressive approach to cybersecurity through a “sprint” toward two-factor authentication. Another technology set for deployment is software-defined perimeters, which is designed to deny all traffic and to make it more difficult for hackers to identify an attack vector.
“The perimeter becomes amorphous,” says Juanita Koilpillai, president and CEO of Waverly Labs, a Waterford, Va.-based cyber and digital risk management company which is working with the DHS to implement that technology.
When companies and government entities do get hit with a big breach, they should go beyond remediation to reviewing their entire security posture, she says. “During that process, look at where your critical assets are, and try to fix that too, even if they were unaffected.”
Still, even a close look at your network and system won't necessarily lead to a clear picture of potential vulnerabilities, according to Ben Knieff, a senior analyst with the Aite Group, a Boston-based research and advisory firm with a focus on information security. The next step for companies in the cybercriminal's crosshairs is to “reach into the dark web and try to understand their exposure outside the organization, and to understand the threat surface,” he says.
By combining a better understanding of bad actors with an internal campaign to make information security an organization-wide goal, companies and government bodies have a better chance of preventing breaches and limiting their damage when they do occur, Knieff adds.
And despite the techno-skepticism caused by the wave of mega breaches, the right systems and software remain critical to improving IT security defenses, he says. However, he adds, the solutions may not be from the usual providers. “Look at organizations without big names, but that have the technology to quickly identify threats for the IT team and the CISO,” he says.
Sorting through the proliferating number of cybersecurity vendors may be time-consuming and frustrating for organizations already overwhelmed with technology options and mounting internal pressures for rapid improvements in cyberdefenses. But with some of the world's biggest companies and most powerful governments reeling from mass data breaches, there's no alternative.