Security Experts Discuss What Lessons Were Learned from 2014’s Data Breach Deluge
To be exact, there were 904 million records compromised in 2014, a record-breaking year in every sense of the word “record.” While a great deal was lost monetarily and even psychologically, i.e., a feeling of security, a great deal was learned as well. In a far-ranging piece on cio.com, Steve Ragan has security experts offer up their observations on what organizations can take away from a very tough learning experience. The following has been excerpted from his article and edited to fit this format. You may find the complete, unedited article by clicking on this link.
Like candy from a baby
Thus, this year’s security problems have taught organizations a valuable lesson when it comes to protecting the supply chain and offering awareness training to staff and vendors. From phishing to weak third-party access, criminals walked in through the backdoor, and out the front, with relative ease.
Difficult to defend
“Businesses today have a maze of complex dependencies on outside service providers and suppliers. This makes a complex attack surface, and that in turn makes defenses weak. The more complex our infrastructure, the harder it is for defenders to see it all and understand its weaknesses,” commented Dr. Mike Lloyd, CTO at RedSeal.
Another lesson learned this year centers on keeping all of one’s eggs in a single basket. As mentioned, twenty incidents reported in 2014 exposed one million records or more in each instance, but three of them resulted in the compromise of a combined 489 million records.
Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs, said that the JPMorgan Chase breach was a perfect example of how the damage from an incident can be reduced by segmentation. “Attackers were able to steal millions of customer’s personal information such as names, emails, addresses, etc. However, they were unable to steal the actual financial data. That kind of data was hidden away behind another layer of security and one that was apparently impossible for attackers to get to,” Kujawa said.
“If all organizations used practices similar to that, then regardless of a breach, there would be a lot less damage in the aftermath.”
No longer a luxury
“Today, security is rapidly shifting to an imperative – auditors look for it, regulators demand it, and customers expect it. Cost is no longer the limiting factor – boards are willing to spend money to steer clear of the wrong kind of news coverage. The limiting factor is complexity – you can’t segment what you can’t map, and too many organizations have effectively lost the blueprints of the infrastructure they run their businesses on,” he explained.
Criminals prefer personal information
Criminals are starting to favor PII over financial information, because it’s easier to sell and leverage. To put it simply, the banks are making it harder to use stolen credit card details due to anti-fraud advancements.
Michele Borovac, VP at HyTrust, pointed out that while it’s relatively easy to cancel a credit card, it’s much harder to track down and recover your identity if it’s stolen. “Attackers with a few pieces of personal information can parlay that data into new credit card applications, online account access and many other nefarious – but lucrative – activities,” Borovac said.
Big data big breach
“Big Data leads to Big Theft,” said Dr. Lloyd. “Cyber criminals are savvy about risk vs. reward – if we make big piles of data, they are willing to put in more effort to get in to take it.”
HyTrust’s Borovac agrees:
“The primary reason that we’re seeing breaches of this magnitude is that data and applications are becoming more concentrated. As organizations consolidate and virtualize data centers, it becomes easier for someone who gets in to get everything.”
Lessons are lost on some
Despite the fact that 2014 was a record setting year for data breaches, for most organizations security is still an after-the-fact, bolted-on additive.
“Security professionals at heart have known for over a decade now that security, like all business practices, is ultimately dictated by ROI. Until companies feel that they will lose customers due to security concerns, there is no good business reason to address them with the same attention that they do sales or any other income-generating business infrastructure piece,” said Carl Vincent, security consultant at Neohapsis.