Companies can spend money fixing coding errors or invest millions in the latest and greatest security technologies, but still leave the business at risk to a major security breach if employees aren't properly trained and appropriate policies aren't set and enforced.
The biggest mistake leading to a data security breach is often pinpointed by investigators as a fundamental security error, according to a panel of experts who discussed the topic of data breaches Wednesday. The panel discussion, sponsored by security vendor, Bit9 Inc., included Bob Russo, general manager of the PCI Security Standards Council, Rich Baich, partner at Deloitte and Touche and former CISO of ChoicePoint and Tom Murphy, chief strategist of data protection vendor, Bit9.
"As an industry we look for exceptions and look for holes, but we end up focusing on holes so much that we don't pay attention to the foundation," Murphy said. "We need to build that foundation of security across all infrastructure."
Data security breaches have come back to the forefront this week with the federal grand jury indictment of a Miami man and Two Russian hackers for their alleged role in pulling off the biggest data security breach in U.S. history. More than 130 million credit and debit cards were stolen from Heartland Payment Systems Inc., Hannaford Brothers Co., 7-Eleven Inc. and two unnamed companies. While the breach, which according to the indictment, involved a SQL injection attack, the expert panelists warned that simple employee mistakes often lead to data leakage.
"The weakest link in the chain is and always has been the people," Russo said. "While malware and exploits tend to get creative, the way they get introduced into the network is really not so creative."
Deloitte's Baich, who served as CISO of ChoicePoint when a breach in 2004 exposed the personal data of 145,000 people, said the apparent rise in breaches is likely associated with the increase in breach notification laws and an increased vigilance of security teams. ChoicePoint's breach may never had been known if it wasn't for California's landmark Security Breach Information Act, SB 1386.
The lesson learned from the ChoicePoint breach and many others since, is to keep an eye on how breaches are occurring, Baich said. In the case of ChoicePoint, someone beat the company's credential verification process and set up phony accounts to pilfer thousands of records.
"It's not just traditional technology and hacking," he said. "Individuals can and will circumvent the business process … No matter how much money and effort could be spent, it wasn't going to mitigate the risk associated with someone potentially being able to do the same thing in the future."
The company ended up exiting the $20 million business it created, Baich said.
Still, it was ChoicePoint's fraud detection systems that discovered an anomaly and in the case of later breaches, companies could have avoid problems and caught cybercriminals in the act if they just paid attention to their logs, Russo said.
"People are concerned with running their business and making a profit and doing what they need to do and security, unfortunately, often takes a back seat," Russo said. "All of the stuff we're seeing out there is generally captured in the logs."
Russo believes the minimum standards outlined by PCI help companies get their security programs in check, but he pointed out that compliance and security are two different things.
" I don't' think there's ever going to be a silver bullet," Russo said. "Our standards are quite prescriptive and a lot of people use it as a springboard … an opportunity to get security as the foundation of everything they do … but It's about security, not about compliance."
The panelists called on companies to tap into the wealth of security information in the form of guidance documents put together by special interest groups in specific technical areas. Don't just have a security policy and process documentation, but enforce it and educate end users about it, the y said. Murphy touted his company's application whitelisting approach, which enables IT to set clear policy on what employees can download and install on their machines. If an application is not on an approved list, then it is not allowed to run, he said.
"It takes away some of burden and ambiguity over whether something is in policy and out of policy and puts to work stuff that people struggle with – how to educate people to let them know what's allowed and what's not allowed," Murphy said.