The old data breach proverb, “It is not a matter of if, but when,” has become somewhat cliché in information security circles, but it could not be any closer to that undeniable truth: Necessary preventative measures can only do so much, and companies will invariably be, well, ‘hax0red.'What happens afterward is what will make or break the organization. That is right: A data breach is perfectly survivable. It is just a matter of having that specially tailored, yet malleable, game plan on standby prior to the breach ever being uncovered.
That way, when an executive or business owner gets the dreaded call that there has been a breach, what will be going through their head in lieu of panic?
“Thankfully we planned for this,” John Stewart, CSO of Cisco, says. A data breach is not a unique experience, he adds. “You're eventually going to be hit. It's not worth the effort of thinking you won't be hit. It's no longer a relevant conversation.”
Developing a data breach response strategy requires having a little understanding of breaches, knowing the trends, identifying where the organization could be most vulnerable, and figuring out the best course of action to take upon discovery of the incident.
An incursion does not always involve hacking into a computer and stealing relevant files. Sometimes it is as simple as physical documents containing personally identifiable information (PII) being inadvertently thrown in the trash. Additionally, a data breach can be intentional, such as an employee stealing data for his or her own nefarious purposes – a type of insider threat.
And that, insider threats, are one of the most common vectors for breaches, along with phishing and attacking web apps, Barry Shteiman (left), director of security strategy with Imperva, says, adding that vulnerabilities and other issues in third-party software also enable breaches, most notably in the banking sector, but also on commercial websites and retailers.
Insider threats involve compromising someone on the inside or being that individual on the inside with access to secure information, Shteiman says, explaining that many times lateral movement occurring within organizations is not from hackers, but from disgruntled staffers. In May, for instance, Home Depot began notifying 30,000 customers that an employee had accessed accounts and distributed some of the information – including payment card data – to third parties.
“Phishing bypasses a lot of security because it allows people to lure users, instead of systems, into doing whatever they want,” Shteiman says. “Hackers attacking web apps and getting to the data behind [those apps] – that might be [through] malware.”
At Imperva, Shteiman sees what customers are experiencing and analyzes that data to identify the trends. Of note, he says he observed that some vulnerabilities being used in modern-day breaches date back to 2009. That means, companies are not patching software, enabling attackers to have just as much success taking advantage of old flaws, rather than buying newer and more expensive exploits on underground markets.
Shteiman poses a sobering thought: At least one of those aforementioned breach vectors is probably happening on your network right now.
And Shteiman is not alone. When CyberArk conducted its “Annual Global Advanced Threat Landscape” survey earlier this year, 52 percent of the 373 IT security executives and other senior management from around the world who responded said that they believe an attacker is already present on their network.
Unfortunately, not all organizations have the resources to analyze data internally for the development, implementation and management of cyber incident response plans. For smaller businesses, Stewart encourages aligning with separate groups that can be entrusted with IT security systems. “Use the major organizations that do these types of things,” Stewart says. “I think outside people can be very beneficial.”