As 2014 draws to a close we can look back over one of the most tumultuous years in recent history. This has been the year of the major security breach. The Target breach was just a warm-up for a laundry list of attacks against large, presumably well-protected, companies and government agencies. Candidly, these organizations – public and private – should be ashamed of themselves.
That’s not a politically correct statement, I know, but let’s just look at some facts. First, Verizon, in its “2014 Data Breach Investigation’s Report,” points out that 95 percent of all breaches followed one of just nine attack patterns. Of those, web application attacks and point-of-sale intrusions lead the pack. If we look closely at these two attack patterns we see that very simple controls, if implemented properly, can go a long way toward limiting exposure at “low hanging fruit.”
For example, writing properly coded input validation on web apps is a major deterrent. Protecting login credentials and forcing strong authentication for external users, such as remote employee connections or connections by partners or vendor support personnel, is also a big wall against simple attacks. It takes a very small toe-hold in a large system to begin moving about in the network and seeking out vulnerable data repositories that the attacker wants to access.
Testing user passwords for strength – something that used to be common in penetration tests but is not quite as common today –and forcing complex passwords is also a cheap and easy way to manage credential abuse. While POS intrusions continue to be a problem, the web applications remain the open door to the network. And they are an open door that is relatively easy to close.
Another core issue is data leakage. There is a tendency – I have seen this consistently in the 50 years I’ve been in the information security world – to do what is convenient even though it represents significant potential risk. For example, there was a time where at least two places involved with critical data would never be generally accessible: wire transfer rooms in financial institutions were isolated in glass “fishbowls” and never connected to any external network, and SCADA systems always had their own isolated networks that never would be allowed to touch the organization’s business network or the internet.
Today, both of those systems are routinely accessible from anywhere on the enterprise and often from the internet, all in the name of convenience. Since when is convenience a business driver when it places critical organizational infrastructure at significant risk? These are the kinds of questions that need good answers and better tactical responses if we are to fend off the breach monster that seems to be gaining in strength and power as our systems gain in complexity and criticality.
What this means in practical terms is that, as a discipline, we are being called upon to do more in the way of providing and measuring the security of our systems and data and at the same time doing it in the open instead of in the relative safety of a firewall-protected environment. Now, that does not mean the end of firewalls, of course. But it does mean that the boundary between the corporate jewels and the outside world is thinner than ever before and it falls to us to compensate for that thin boundary.