Our security model is broken and needs to be revamped. If JP Morgan – with a budget of $250 million and 1,000 security professionals – cannot stop or detect a major security breach, there is little hope for the rest of us. Unless something changes.
We need granular encryption of personal information at rest and in transit everywhere; second-factor authentication, including system administrators; better privilege-access controls; continuous vulnerability monitoring; and prescriptive security regulations. Now!
There have been a slew of high-profile security breaches recently, including the JPMorgan Chase security breach. The financial institution has more than 1,000 security pros on staff. If JP Morgan can be breached, then what does that mean for the rest of the enterprises in the U.S.? It means that everyone is susceptible to major breaches, no one is safe.
Why! Because our security model is broken. Too often, critical baseline security safeguards are not implemented. And, of course, risk-based regulations are not helping.
We must change our business security model. Specifically, all known security breaches either exploit some vulnerability to install malware and/or obtain escalated user access privileges to gain access to sensitive data. A breach occurs and goes undetected because critical security safeguards are not in place to mitigate these breaches.
"We need granular encryption of personal information at rest and in transit everywhere..."
Preventive security safeguards that should have been implemented yesterday need to be deployed today – without debate about risk since we know the results of that approach.
Specifically, second-factor authentication, something you know and have or are, needs to be utilized both over external and internal networks for all staff, vendors and customers. We all know that password-based authentication was obsolete 10 years ago.
Sensitive data encryption at rest needs to be pervasively implement at a granular level so that all data access is limited, even for privileged users. Too often, encryption is implemented at the disc or database level, not at the field level.
As well, privileged access monitoring and controls need to be in place to effectively limit usage to minimum and monitored or review usage of privilege accounts.
And, continuous vulnerability monitoring should be occurring over the whole network, not at arbitrary intervals on some network segment.
These critical controls should be in place wherever sensitive information is stored and processed.
We need better and prescriptive security regulations. Current regulations are interpretative, based on judgmental risk assessments by the enterprise, and many rely on self-compliance.
Security risk assessments are often performed by unqualified individuals and often used to justify not doing anything because “it never happened before,” or “I will assume the risk,” etc. Too many enterprises do the minimum necessary to comply with regulations.
We need security regulations that specifically prescribe necessary technical controls and remove ambiguities.
Finally, compliance to security regulations should be enforced and have monetory consequences if not complied with, similar to consumer product protection safeguards regulated by state and federal agencies.
If the dimensions and the frequency of security breaches, whether driven by cybercriminals or government-sponsored, is to subside, we need a new security model. We need to deploy technical security safeguards that address today's threats and we need more prescriptive security regulations.
Craig Shumard is principal of Shumard and Associates, a security consulting firm.