We’ve seen massive, high-profile corporate data breaches before, but what strikes me about the breach epidemic of 2011 is the near-total inability of high-profile organizations to protect their most precious digital assets.
Forgive what may seem like hyperbole, but for a variety of reasons these recent incidents redefine information security failure. Let’s briefly recap the most egregious examples:
- RSA SecurID breach began with spear phishing attack: At least one employee of EMC Corp.’s security unit fell victim to a targeted email attack; digital criminals combined social engineering and malicious attachments, exposing details about RSA’s highly profitable SecurID authentication product. To its credit, as one of the most prominent brands in information security, RSA had technology in place to detect and stop the attack quickly, likely limiting the damage it would have otherwise caused.
- Automattic security incident: The company behind the popular WordPress blog platform had what it called “a low-level (root) break-in” involving several servers, resulting in what apparently was the theft of sensitive, custom source code.
- Sony reveals PlayStation Network hack: In what could be one of the largest known data breaches ever, attackers truculently circumvented Sony’s self-described “very sophisticated security system” and stole personal data belonging to more than 75 million members, an amount equivalent to a quarter of the U.S. population. Customers’ encrypted credit card data may have pilfered as well.
And that list doesn’t even include significant website attacks at McAfee Inc. and Barracuda Networks Inc., plus the HBGary Federal fiasco, which would surely be this year’s Darwin Award winner for information security (or lack thereof), if there were one.
While all of these recent data breaches or losses were caused by different gaps in security controls involving both process and technology, they all represent a fundamental inability to protect what enterprises value most: intellectual property and customer data.
It’s difficult to know the precise extent to which these organizations tried to guard against these sorts of events, but industry onlookers should understand the valuable lesson these events have to offer: The “business-as-usual” approach toward breach prevention isn’t working. If an organization like RSA, which understands security better than most enterprises and stakes its reputation on its own security, tried and ultimately failed to prevent persistent attackers from stealing some of its most sensitive intellectual property, it does not bode well for the average enterprise trying to do the same.
I believe there are two key lessons: enterprises must proactively seek out their security weaknesses (of all types) before attackers do; even then, enterprises must be prepared to fail, and to respond accordingly.
“To best counter targeted attacks, one must conduct counter-threat operations (CTOps). In other words, defenders must actively hunt intruders in their enterprise,” wrote Mandiant Corp. CSO Richard Bejtlich in the recently published Information Security Magazine Essential Guide to Threat Management.
Bejtlich offers great insight on the best way to justify the CTOps approach and create a team that will do the work, but the essential takeaway is to foster an ongoing effort to search for creative new methods. It is not only about identifying threats and weaknesses, but also operationalizing those approaches with reliable technology and repeatable processes so security analysts can put them to work. Say what you will about attackers, but if nothing else, they are highly motivated and persistent; to keep up, enterprises must compensate with innovation.
That said, as crucial as it is to ensure data protection success, failure is unavoidable and breaches will happen. Lenny Zeltser, security consulting practice director for St. Louis-based infrastructure and hosting provider Savvis Inc., told me this week that organizations should plan for a breach and know the key steps needed to mitigate the damage well before an incident begins.
“Whenever you’re a company with lots and lots of employees, all of whom can be socially engineered, the attack surface is so large, that you can do as much as you can to build up your technology and processes to resist attacks, but you will be compromised.” Zeltser said. “Design your response strategy with that assumption.”
In a year when the unparalleled proliferation of mobile devices and the rapid depletion of Internet Protocol version 4 addresses are among the issues that should be top-of-mind for security pros, it’s unfortunate that this new stream of high-profile data breaches has been a dominant industry storyline. It’s one we’ve seen many times before, but let’s hope enterprises understand it’s time to adopt a new approach to data protection. Enterprises have nothing to lose, except, of course, the data they value most.
About the author:
Eric B. Parizo is senior site editor of TechTarget’s Security Media Group. His rants can also be heard each month on SearchSecurity.com’s Security Squad podcast.