My entrance into the world of technology and cybersecurity coincidentally occurred in simultaneous fashion with what Symantec has coined the Big Boom age[1] of data breach. It was March 2005 that the world witnessed the first data breach to include over one million compromised records at DSW Shoe Warehouse. Since then and as of today, Privacy Rights Clearinghouse[2] has recorded an additional 9,093 data breaches that have been made public; an average of nearly two per day (1.78) over the past 5,100+ days.
Hearing about, learning about, and subsequently talking about data breach events has more or less been my daily routine for the better part of 14 years. Having held or performed the functions of a wide variety of positions within a security-focused software company for as long as I have, I’ve been fortunate to have had exposure to people of all types and in virtually every conceivable position within customer, partner, and other technology organizations. While I feel like I’ve heard it all in terms of what the root cause of our collective data breach problem is, I think there are two things in particular that are suffocating our collective ability to slow down and stifle this unsurprising outcome – people that can’t comprehend or appreciate the information they’re being told and people not being allowed to focus on what they know really matters.
Let me be clear. This is not a finger-pointing exercise. This is a reality check. I’m not saying this is the be-all end-all solution either. Protecting the information attackers seek to steal is among the most complex problems we’ve ever had to deal with as a species, but surely there are some pragmatic measures that can be taken to stop the bleeding (scratch that, hemorrhaging) of data from our organizations on again a daily basis. Right?
Trust in our new “Zero Trust” world (to the Board)
Technology is complicated. Whether we’re talking about consumer electronics in our homes or enterprise-grade technologies in our offices and datacenters, if you’re not into it, if you’re not exposed to it, then you probably don’t understand it. It’s not your fault if you’re not among the technically-inclined, but you can’t fight it either. This is the world we live in. Your smartphone might become even easier to use, but it will assuredly become more difficult to secure as time goes on.
If you’re in a decision-making position that affects the funding of technology (especially cybersecurity) purchases for your organization and you can’t say you truly grasp or appreciate the imminent dangers “The Business” faces right now, then there’s only one thing you can do. Trust. There are people around you that do know what’s going on. Unfortunately, these people aren’t always the best at communicating incredibly complex subject-matter in terms you understand (i.e. money, and how this makes you more money), but rest assured you will be losing a boatload of it when Brian Krebs gives you a call to let you know your network and your customer’s data has been “pwned”.
And trust me, I thought GDPR was going to fizzle out too, but boy was a wrong. It’s got legs and it just leaped over the pond in the form of the CCPA. Now it’s making its way across America and you will be fined for non-compliance. No more slaps on the wrist. They’re coming for your piggybank.
Cybersecurity needs more funding. Cybersecurity professionals are burned out. There are too few people to do the job and the tools they’re forced to use are rarely adequate enough to address the modern threats they face. That said, you’ve hired people that speak the language. Trust them when they tell you what they need to defend your organization from harm. Honestly, you’re just a sitting duck otherwise.
Discipline and bringing it back to the basics (to the Security Professional)
Every year, we all rejoice in the release of Verizon’s latest Data Breach Investigations Report (or the DBIR for the cool kids). It’s such a great read, what with all their witty quips and section headings. But what do we always see? It’s the same old stuff biting us in the butt every time. Missing patches, an overabundance of administrative access rights, credentials in memory, social engineering, Pass-the-Hash, and so on.
We’ve got to turn our focus back to the blocking and tackling. It starts with education for your employees (don’t click it!), proper hygiene and alignment with best practices across your systems for when they click it anyway (why do 135 people have local admin rights to this desktop again?), least privilege rights to your data (so Joe Schmoe from the Mail Room’s account doesn’t grant god rights to your quarterly financials), and control over the granddaddy of them all, the directory.
If you want to secure your data, you need to know where it is, what it is, who has access to it, and figure out whether or not they should. Once you do that, you need to ensure the thing that’s responsible for controlling access to all that data (probably Active Directory for 90% of you) is clean, understood, configured properly, monitored closely, and controlled tightly. Don’t stop there though. AD is most commonly compromised due to misconfigurations, vulnerabilities, and an inappropriate number of people with administrative access rights to your desktop and server infrastructure.
This is the blocking and tackling. Fix these problems and you’re going to be in a much better position to defend your organization’s assets.
We aren’t doing ourselves any favors (to All of Us)
I don’t want this to sound too harsh and again, I don’t want this to be perceived as finger-pointing either. I want this to be a rallying cry to us all because we’re all in it together, but I feel like right now we’re not doing ourselves any favors.
Excuse the painful football analogy, but it’s halftime in this game we’re playing, we’re losing, and it’s time to make some adjustments. We need more resources and we need more focus on fixing the things that make it so easy for attackers to make us all look like fools. If we can trust each other, we can make this epic comeback happen.
Adam Laub is SVP, STEALTHbits Technologies
[1] https://www.lifelock.com/learn-data-breaches-history-of-data-breaches.html
[2] https://www.privacyrights.org/data-breaches
