It's 2015, and it's not a stretch of the imagination to say that the majority of the population has either been a victim of a data breach or at the very least knows someone who has. With so many breaches of users' data, the inevitable question arises: "What will they do with my data?" The usual follow-up question is "When will they use the data?"
The first part is easy; the second more difficult.
What's done with the data, and when?
Compromised data is used in a wide variety of ways. It can be used for identity theft, credit card purchases, access to other accounts and to apply for credit in your name. It can also be used for ransom payments, threats and intimidation, be posted on public sites for embarrassment, used as blackmail and competitive advantage, or sold on the black market.
It should be noted that compromised data may not be used as soon as it is breached. While some breached info may be instantly used (credit cards used for purchases, for example), other data may be held for some time. Social Security numbers may be held to use later (sometimes many years later) for identity theft or it may be parceled out for sale or trade -- at which point the cycle of misuse may begin again. Large breaches of email accounts may be held for future spam and phishing attacks, which are becoming an easy attack vector for cybercrime.
How to respond
So what can be done to prevent or respond to this and ensure corporate data protection? First, ensure that you have a robust, scalable and holistic security function; that is key. This includes executive leadership, planning, implementation, architecture, staffing and incident response. Each of these elements plays a significant role in a successful security function, and the lack of one may increase risk. For example, without executive support, getting approval for funding, staffing and strategy can be more difficult. Without an incident response plan in place, security incidents can quickly escalate.
Recent breaches at Sony and the U.S. Office of Personnel Management indicate that their security postures were not as robust as they should have been. We should take their stories as lessons to be learned. It can be argued that corporate data protection and security were not priorities in their organizations. After all, they both had prior security events and were questioned on their posture previously, but no actions or improvements were undertaken. The lesson? Always perform a full review of security incidents and ensure that the necessary improvements are made promptly. In addition, be constantly assessing your policies, processes and infrastructure. Judge these against current best-in-class solutions, such as next-generation firewalls, advanced persistent threat defenses and log correlation and alerting solutions. Even if you have established a secure baseline, you must constantly evolve your defenses as the threats evolve.
Three action points to ensure corporate data protection
Let me leave you with three points to focus on: Do all that you can to ensure early detection; have methods to observe exfiltration of data; and train for incident response.
Many, if not all, of the major breaches and compromises of the last few years have shown that the attackers had access to the networks and data for a great deal of time before detection. Some of the hacked entities determined that they'd been compromised for two years or more! The longer the attack goes undetected, the greater the damage.
It's critical to have methods in place to observe when data is leaving your network, both in large data sets or through ongoing exits to non-network IP addresses. Knowing your baseline as to what is normal traffic is key to determining anomalies.
Finally, we all know that security events are a way of life, and that a big one can occur at any time. During an attack is not the time to be tweaking, testing or developing your incident response plan. Ensure that the staff you need are aware of their roles and duties, fully trained and tested, and that no instruction is necessary. Only with a well-developed and practiced plan can you identify, contain and eradicate the attack, and return to normal business as quickly as possible.
The attacks will continue unabated as long as they continue to be successful. We can take steps to reduce the possibility of a security incident, but when they occur we need to be ready to identify and address them expeditiously.
Uncover four controls that should be on every enterprise's internal controls checklist.