2014 will be remembered as the Year of the hack. Sony, Target, Home Depot, UPS, even Victoria couldn’t keep herself Secret. The list of breaches is depressing.
How do you avoid being the next? This article will answer that question. But, if you’re looking for a quick fix, move along.
What’s Been Tried Before
Firewalls / Intrusion Detection
Firewalls won’t stop someone who has credentials, won’t stop attacks within the interior of a network.
“Myth: Firewalls make your data secure. In fact, 40% of Internet break-ins occur in spite of a firewall being in place.“
Data Security Challenges – Oracle9i Security Review
Stong Authentication / Multi-factor Authentication / Single Sign-on
Often bad things are committed by those who already have the proper credentials. Ask Home Depot who was victimized by hackers using a third-party vendor’s userId and password. Do not base the entire defense on the front door.
“Neither top secret clearance, sophisticated authentication nor the most advanced encrypted information systems can necessarily stop an intended breach action. These security procedures are not designed to detect real-time actions and anomalous business processes from authorized personnel. These practices are just the “moat around the castle” approach upon which most current cybersecurity technologies are based. Current national security breaches clearly show we need to do more.”
Is Cyber Security an Inside Job? – Larry Karisny – Digital Communities
Antivirus Software
Doesn’t stop attacks in-flight. By the time a new virus signature is identified, two more have been created and taken root elsewhere.
“In the bigger picture, furthermore, the anti-virus software was irrelevant, contends Chester Wisniewski, a senior security advisor at anti-virus vendor Sophos. “A smart attacker in a targeted environment will always bypass your anti-virus,” he says, and especially if they’re trying to take down a retailer the size of Home Depot.“
Analysis: Home Depot Breach Details – Mathew J Schwartz – Bank Info Security
I’m not saying these practices are invalid, but they are insufficient.
What’s Missing
A determined attack will gain access to its intended target. It’s impossible to harden every entry point sufficiently to prevent all attack vectors. You must have a way to minimize damage once the inevitable unauthorized entry occurs.
“Organizations should stop thinking about breach prevention, accept their going to be breached, change their mindset, and think about how they will protect and store their data.”
Stop Worrying About Data Breach Protection – Info Security Magazine
Strong Authorization
The authorization controls commonly used today do not counter the threat of a determined attacker. Let’s take a prime example. How did a low-level, government contractor download terabytes of highly sensitive data from the NSA? The answer: inadequate authorization controls.
“Organizations that lack these controls are vulnerable to attacks waged by individuals who have legitimate accounts on the network but seek to misuse their access for malicious purposes. This risk, known as the “insider threat” is one of the most insidious causes of data breaches.“
How to avoid the five most common causes of data breaches – Mike Chappel – Certification Magazine
Audit trail
If an operation is important enough to be guarded with a policy enforcement point, it should be tracked. This lends integrity over operations. You can answer who, what, when, and where.
“The most important step that you can take to protect your organization against improperly configured access controls is to perform regular auditing.”
How to avoid the five most common causes of data breaches – Mike Chappel – Certification Magazine
Periodic Review
Circulate daily reports of access requests to sensitive resources. Think about the results. Devise heuristic algorithms to detect anomalies automatically. If Home Depot conducted regular reviews perhaps it wouldn’t have taken five months to detect illegal activity in their networks.
Confidentiality
Encryption enabled should be the default setting for network connections – even (especially) test environments. Buy new servers to handle the increased load. Manage the keys wisely. Consider the added cost cheap insurance.
“In the aftermath of security breaches at Target, Home Depot, and JP Morgan Chase, executives are reexamining their data breach risks. Hacksurfer reports on a recent survey of IT professionals that found 53 percent of organizations were investing more in data security after these high-profile cyber attacks.”
In Data Security, Compliance Isn’t Enough – Max Schleicher – TechInsurance
Secure Coding
This drum is beaten elsewhere so I won’t here.
There is no Silver Bullet
Ask Staples – the easy button doesn’t work. Be wary of those who tell you otherwise. The good news: it’s not complicated. It requires a focused effort across the following:
- Strong Authorization – Add mandatory policy enforcements to all access points accessible over the network – even those downstream of ‘secured’ interfaces.
- Use declarative policy enforcement mechanisms like SELinux, PAM, sudo, ModAuth, Java EE security to safeguard the infrastructure.
- Use programmatic, fine-grained access control to safeguard data access within the applications.
- Use centralized Policy Decision Points (PDP) capable of efficient data access (it will be busy).
- Cryptography – encrypt data in-flight, sensitive data at rest. Hash all passwords.
- Audit – track access requests to objects, operations along with subject, location, time, date and result details.
- Review – conduct regular reviews of policies and audit logs to verify compliance.
- Secure coding techniques – employ these practices while still in development. Conduct code scans of applications already in production.
- Use automated testing to verify security functionality.
Will these measures guarantee that your company’s systems won’t be breached? No, but you won’t look like a big, juicy, red Target either. 🙂
Systems architect, security guy, open-source advocate and avid cyclist.