That tag line was famously used in Jaws 4: The Revenge, to set up an improbable scenario where a great white shark follows a beleaguered woman to the Bahamas and targets her and hers. But while even the most industrious shark is not likely to take such a long swim to settle a personal vendetta (we saw what the woman’s police chief husband did to its compadre in the first Jaws), the line could more appropriately be used to describe the menacing adversaries lurking in the deep, ready to strike unsuspecting enterprises or consumers in a devastating data breach when the right bait is dangled.
It seems as if the most recent data breaches – like those at the Office of Personnel Management (OPM) and insurance company Anthem – are tinged with the personal. That is, attackers are seeking sensitive personal information that they can use further down the line for heaven knows what.
It almost makes you long for the good old days when large breaches were almost exclusively in the domain of retailers like Target, Neiman Marcus and Home Depot.
Of late, though, breaches have branched out. Their widening circle is scooping up a greater variety of data, attackers are craftier and patient (like the shark in Jaws, they’re willing to lie in wait until the time is right), and the breaches are more sophisticated…and inevitable.
In fact, a recent Gartner report says that “prevention is futile in 2020,” and Rep. Ted Lieu (D-Calif.) voices the often-repeated assertion that there are two types of companies – those which have been breached and those which don’t know they’ve been breached.
Both could pay a hefty price. The Ponemon Institute put the average total cost of a data breach at $3.79 million – an increase of 23 percent over the past two years – and most organizations are paying a much higher toll in the longer term effects of lost intellectual property, namely reputations tarnished and inevitable lawsuits from angry customers, financial institutions and partners.
Tod Beardsley, principal security research manager. Rapid7
Fengmin Gong, co-founder and chief strategy officer, Cyphort
Ken Griffin, director of IT operations and services, Harvard Business Publishing
J. Trevor Hughes, president and CEO, International Association of Privacy Professionals
Jeffrey Ingalsbe, CISO, Flexible Plan Investments
John D. Johnson, global security architect, John Deere
Tim (TK) Keanini, CTO, Lancope Sarah Lahav, CEO, SysAid Technologies
Steve Martino, vice president and CISO, Cisco
Miller Newton, president and CEO, PKWare
Kymberlee Price, senior director of researcher operations, Bugcrowd
Richard Rushing, CISO, Motorola Mobility
Arieh Shalem, CISO, Orange
Yan Zhu, software engineer, Yahoo
When Chris Valasek, former director of vehicle security at IOActive, and former Twitter executive Charlie Miller, both now on Uber’s security team, found a vulnerability in late 2013 to 2015 vehicles with a Uconnect feature, Chrysler Fiat was compelled to issue a voluntary recall of nearly 1.4 million Dodge, Chrysler and Jeep vehicles for a software update or risk attackers gaining access to cars whose IP addresses they could have uncovered. The carmaker, along with entertainment system provider Harman, now faces a class-action lawsuit.
Car companies. Banks. Government agencies. Insurance companies. Retailers. Casinos. Travel companies. Airlines. Attackers are hitting nearly everything these days. Truthfully, no one is immune. While some organizations stalwartly refuse, or just aren’t able, to see themselves as “data companies,” all are engaged in the gathering and distribution of information. Or, as happened in the breach of Target, they offer entre into another company that is.
Even hyper-vigilant organizations with almost limitless IT resources can still get hit, says Larry Ponemon, chairman and founder at the Ponemon Institute, pointing to JPMorgan Chase, which had data from 76 million households and seven million small businesses exposed in a data breach last year. “They were not able to contain what some would argue was a fairly unsophisticated malware attack,” he says. Which doesn’t bode well for those hit with more savvy attacks, often from unknown and unanticipated attackers.
Breaches are being planned and executed from all quarters – nation-states, hacktivists, bored teenagers, domestic criminals, corporate spies, nearly every group imaginable has thrown its hat into the data breach ring.
Alarmingly, PII of children is high ticket because of its longevity and children’s relatively blank slates – they haven’t established credit histories, they’re not monitoring their credit profiles and the like. The consequences of that stolen data can follow them for life, which is what makes the recent hack of VTech that much scarier.
Attackers on Nov. 14 stole a database from the popular Hong Kong-based educational toymaker that contained the information of nearly five million people, including more than 200,000 children.
“In a worst case scenario, this means that the stolen data could be used to build profiles of children that include their name, age, parent’s name, home address, and from chat logs, information that only a trusted adult would know, such as a child’s favorite toy and the name of their siblings,” Christopher Budd, global threat communications manager at Trend Micro, writes in a December blog.
While Budd notes that there was “no indication that the worst case has happened” – since the attacker “claims they are holding the data securely and won’t sell it” and no information has yet shown up on the black market – “that could always change.”
From bad to worse to worse yet
The data breach landscape is only going to get more complicated with organizations and consumers more vulnerable as the Internet of Things (IoT) comes to fruition. Not only will the volume of data increase as the number of devices grows, so too does the likelihood that those devices will be outside the direct control of IT security professionals.
“There’s a lot of malice and a lot of devices all around us and people doing bad things, dangerous things,” says John D. Johnson, a global security specialist. And, with everything from wearables and refrigerators to guns and baby monitors getting smarter – and more attractive to hackers – “we’re operating in an unsafe environment,” adds Johnson.
Indeed. Nearly three-quarters of industry professionals believe there is a medium or high likelihood of their organization being hacked as a result of the interconnectivity of IoT, according to the recent “IT Risk/Reward Barometer” report, conducted by ISACA. In surveying more than 7,000 IT and cybersecurity professionals, the report found a clear gap between consumers’ perception of IoT device security and the confidence level among cybersecurity professionals. Nearly two-thirds of U.S. consumers expressed confidence in their ability to control information conveyed through IoT devices.
Their fears are not unfounded: IoT devices typically lie outside the purview of IT security. Organizations haven’t planned for such smart and connected devices to have the ability to allow the bad guys to infiltrate their systems.
“A lot of enterprises have ignored it, and perceived [IoT devices] as low risk,” says Johnson.
That’s largely owing to the fact that IT people would not be aware if someone went out over the weekend and bought a new thermostat or coffee pot that could be used to gain access to corporate resources, says Sarah Lahav, CEO at SysAid Technologies, a global firm, with U.S. headquarters in Newton, Mass., that develops and provides IT service management software.
What to do, what to do…
With the threat of a data breach lying just beneath the surface, it is incumbent on organizations to put the time and resources into thwarting attackers. A Gartner study contends that IT security teams need to focus more on real-time monitoring, detection and response capabilities. The market research consultancy figures that 60 percent of enterprise information security budgets in 2020 will be allocated for rapid detection and response capabilities – that’s a substantial increase from the less than 10 percent earmarked in 2013.
Certainly practicing good cyber hygiene is a must – ensure that passwords are strong and changed often, train employees to spot tricks and techniques that might allow a hacker access (humans continue to be the weakest link in the chain, with social engineering still working surprisingly and alarmingly well), and set policies for accessing and sharing information.
But there are a number of other actions organizations can take to protect themselves from at least the bad effects of breaches.
Understand information assets. Organizations need to know what information is in their coffers and understand its value to hackers, then take steps to protect it. Information security pros need to understand “what it is we’re protecting,” says Jeffrey Ingalsbe, CISO at Flexible Plan Investments, a Bloomfield Hills, Mich.-based business management consultancy. “Threat detection is meaningless if I don’t understand the target.”
This requires a (sometimes monumental) shift in thinking to see the company as a data provider and therefore a data steward. Otherwise, they’re unlikely to anticipate a threat until it’s too late. With grave consequences.
Encrypt your data. Whether data is in motion or at rest, it should be encrypted – that way if anyone gets their hands on it, they’ll at least have to work to sort it out. But encryption is often seen as complicated and is pretty misunderstood, which causes companies to shy away from it, says Miller Newton, president and CEO at PKWare, a Milwaukee-based enterprise software company,.
But being able to encrypt and protect data will become increasingly important as the IoT comes to fruition. “In a world where there are a lot more sensors, it’s important that all data for sensors is encrypted when sent to the server that’s processing it,” says Yan Zhu, a software engineer and encryption advocate at Yahoo.
Privacy advocates, like whistleblower Edward Snowden, continue to hammer for encrypted communications. Snowden recently urged an audience during the “Why Privacy Matters: What Do We Lose When We Lose Our Privacy?” conference, hosted by the Hannah Arendt Center for Politics and Humanities at Bard College, to protect their privacy by using encryption to keep their messages private. “By embracing encryption you can armor your communications,” he said.
In late 2014, Mozilla, the Electronic Frontier Foundation and Cisco each announced they would be supporting the “Let’s Encrypt” project, aimed at providing free HTTPS for the entire internet. Let’s Encrypt later announced another milestone in its attempts to bring encryption to the world. Josh Aas, executive director of the Internet Security Research Group (ISRG), the nonprofit behind the project, said in a statement that “our certificates are now trusted by all major browsers.” Aas added, “This is a significant milestone since it means that visitors to websites using Let’s Encrypt certificates can enjoy a secure browsing experience with no special configuration required.” All major web browsers now trust the free Let’s Encrypt HTTPS certificates.
And Facebook now supports OpenPGP’s standard elliptic curve cryptography (ECC) public keys, the company said in a security blog. The new encryption option will offer higher levels of security for relatively smaller key sizes, the strings of code needed to lock and unlock messages, and is being widely adopted in modern cryptographic implementations.
Automate security where feasible. “Cisco blocks 19.6 billion threats a day,” according to Steve Martino, vice president and CISO at Cisco, or “more than the number of Google searches a day.” It’s impossible for humans and manual processes to keep up with everything. Automating whatever is possible and feasible can remove the likelihood of human error and also fill in the gaps when resources are stretched. Fengmin Gong, co-founder and chief strategy officer for Cyphort, a Santa Clara, Calif.-based security firm, says he is seeing more adaptive and sophisticated organizations adopt a “continuous monitoring, diagnostics and mitigation approach,” instead of employing an outdated “deploy and forget” approach. These businesses are using new tools to automate detection and incident response to make the most out of limited staffing, he adds.
Segregate what’s risky. Because organizations want to encourage the smooth flow of information, the lifeblood of business, they may be hesitant to cordon off certain information or devices. But segmenting networks and devices is often prudent, particularly when it comes to IoT. For example, “if you know about a device, it’s quite easy to set up a small firewall,” says SysAid’s Lahav.
“The first step to address IoT is to enumerate what’s on the network and put those devices in categories and assess risk,” says Johnson. “They have to build the knowledge and capacity to understand and manage these devices.”
PKWare’s Newton recommends ramping up security by creating a guest network to segregate certain devices.
Keep patches up to date. A year after the discovery of the infamous Heartbleed flaw, the vulnerability in the popular OpenSSL cryptographic software library was still affecting hundreds of thousands of devices. IoT search engine Shodan found that around 200,000 devices were harboring the bug. This suggests that the flaw may never be entirely eliminated and that not all who needed to had patched it. The Heartbleed vulnerability was discovered in April 2014 and, at the time, around 74 percent of Global 2000 organizations had not completed remediation of the bug. Later that year, more than half of the world’s major corporations had servers that were still vulnerable to the flaw.
“We need to make it mandatory that these connected devices have an automated way to remain updated,” says Tim (TK) Keanini, CTO at Lancope, an Alpharetta, Ga.-based provider of network visibility and security intelligence. “The internet cannot afford a growing population of insecure devices and this is what will happen if we do not take warning.”
Many devices may never be patched against Heartbleed and other vulnerabilities because the vendor no longer exists, the organization has limited IT security resources, and/or users don’t even know a problem exists.
But even for the most astute organizations, patching can be a challenge. “The time we used to have to patch has almost evaporated,” says Richard Rushing, CISO at Motorola Mobility, the Chicago-based mobile device computer technology company. “If I told you you have 24 hours to [patch something] that gives the bad guys a lot of time to hurt you.”
To expedite the protection offered by patches, Ingalsbe at Flexible Plan Investments says it might be time to consider an “unpatch” strategy, putting patches in place without testing them and having a plan to remove the patches if they have a negative impact on users.
Demand top-notch security from third parties with who you do business. It’s not good enough to know that your own security posture stands strong against breaches. Organizations must ensure that their third-party vendors and partners have solid protections and policies in place – not only to protect against breaches but to escape liability if a weakspot at a third party allows a hacker to enter other companies’ systems.
The Office of Management and Budget (OMB) recently unveiled a privacy framework in its update to “Circular A-130, Managing Information as a Strategic Resource,” that, among other things, requires federal agencies to loop in contractors – a significant requirement considering that many of the high-profile breaches or data exposures have come through third parties. The revision attempts to ensure that privacy training extends to “everyone that touches an agency,” says J. Trevor Hughes, president and CEO at the International Association of Privacy Professionals (IAPP).
And other organizations in the private sector are building security and privacy requirements into their contracts with third parties.
Risky business…include security in a risk model. When security is built into an organization’s risk model it can shift the relationship between the board and information security pros from adversarial to advisory, members of a panel recently told an audience at SC Congress Boston. Calling risk management “part of our DNA,” Ken Griffin, director of IT operations and services at Harvard Business Publishing, said his company “spent all last year getting a risk level that was appropriate.” His group considers risk in four areas – operational, brand, compliance and intellectual property – and then offers strategies around all of them. As a result, the tone of the conversations and security’s perceived role have shifted. Security “has gone from being the police force to being the police force working with the neighborhood watch,” said Griffin.
Actions speak louder than perimeter alarms. Traditional security tools, such as those that protect the perimeter, don’t cut it alone any longer. It’s almost inevitable someone is going to get in…and be in long before they’re spotted. VTech didn’t detect its breach until the press began reporting on it. Likewise, hackers tooled around in the State Department systems for quite some time until someone noticed. And the Federal Bureau of Investigation (FBI) routinely notes that many companies first become aware of breaches when its agents knock on the door. The warning: You need to spot an intrusion before any damage is done.
With that in mind, Arieh Shalem, CISO for Orange, one of Israel’s top three wireless telecommunications firms, advises that more dollars should be diverted to behavioral anomaly detection and active breach detection.
Further, user behavior analytics (UBA) may help enterprise security programs detect threats sooner, according to the “Understanding User Behavior Analytics” report conducted by Rapid7. Researchers there said that by monitoring user accounts, cloud usage, location of mobile BYOD use, and the lateral movement of information within systems, enterprises can gain insight into how employees use information to better detect abnormalities.
“While anti-malware, vulnerability research and regular penetration testing are all important, a mature security program needs to put significant focus on monitoring normal user behavior in order to tell what’s abnormal and malicious,” says Tod Beardsley, principal security research manager at Rapid7.
And Johnson underscores the importance of setting baselines for devices so that any activity outside the ordinary could be flagged as potentially suspicious and then alert IT or the consumer, depending on how and where the device is being used. “The toaster and fridge shouldn’t be sending out a whole bucketful of SMS messages,” says Johnson.
While taking prudent security steps won’t guarantee that attackers will be thwarted from penetrating corporate systems, it will help IT security pros spot the menacing adversaries lurking beneath the surface.