Data Breaches – why are we not learning?

The Marriot group has just been hit with a data breach, 500 million account details.  The biggest in quite a while.  As a security professional, I am amazed at how many of these breaches we see weekly.  As always, companies like Marriot will be embarrassed about what happened, and try to manage the fallout from their very angry customers.  Let’s leave it at that for now.

No one is ever fully immune to any kind of cyber attack.  All it takes is one person to click the wrong link in an email, and it is game over, yet some of these attacks are so simple in nature, no wonder you keep hearing of some teenager managing to hack Apple.  Media hype aside – anyone downloading a copy of Kali Linux and looking for basic exploits is not a hacker – they just found a basic hole in a site that the owner of the site should have protected in the first place.

Companies that get hacked do not want to reveal the inner details of how the hack occurred, as it may indicate a bigger issue, like how they they treat information security.  Take the case of Yahoo a few years back, demonstrated that the CEO (Marissa Mayer) did not think Information Security was important enough, and as a result, the company suffered a number of breaches.

Not all is lost.  There is hope for all of us.  It does require a few basic things.

Firstly, admit that you are not immune.  An attack can happen to anyone.  It doesn’t matter how good you think you are, someone out there is better, smarter, and more determined to breach your network than you are to protect it.  Admitting you’re not immune, and convincing your management that you’re not immune is the first step.

Next up you need to get buy-in to do something about it.  This can be challenging.  Information Security is like insurance… You don’t need to do it, until you get into an accident, and then you hope you had!  Convince your management of the importance of a proper security program.

Should you decide to go down the path of an ISO27001 certification (which is both time consuming and expensive, you’ll know that a risk assessment, with proper control implementation is at the core of the certification.

You don’t need to implement ISO27001, but a few, very basic controls will already provide you with a huge amount of protection.  If you are in an online web presence, and the web is your primary business focus, I would propose the following (non-exhaustive) list of controls.

  • User Awareness is key.  With all the technology in the world, we can make the most secure system there is, but all it takes is one person to click on a phishing email, and enter their credentials, or download malware, and it’s game over.  Train your staff the basic of secure password and credential storage, how and where to store sensitive data, and how to treat suspicious emails.  And do it regularly.  People forget, they get complacent, they think it may not happen to them.  Keep at it.. Every few months, remind them of their responsibility to security within your organization.
  • Protect the credentials.  Where you can, implement multi-factor authentication (Google Authenticator is free, Yubikey is about $30 per person).  Change the password every 30 to 90 days.  Implement a strong password policy.
  • Protect the server perimeter.   If you are hosting in something like AWS (Amazon Web Services), there really is no excuse.  You can design a very secure network, with CloudFormation templates, encryption, load balancers, and all the bells and whistles.   All of that is useless if you do not set it up right.  Spend time and money on doing a proper architectural design of your network.
  • Encrypt – If you’re not running on https, you should.  Nothing would every justify running on http.
  • Patch, Patch, Patch! Seriously… Why are you not patching?  Wannacry happened because companies felt that their old Windows XP machines are not vulnerable, and because they couldn’t (or woulnd’t) patch it, many companies suffered.  Don’t wait… If you are not patching your entire system regularly, you are increasing your risk.
  • Anti-Virus – another very basic control.  Windows makes it so easy.  Just enable Windows Defender, or on Linux, implement ClamAV, free solution, and they’re can do the job.  If you want something a bit more high end, Trend Micro Deep Security can also help.
  • Monitor – there are tools like Splunk that can monitor every aspect of your network, and alert you when things go wrong.  Do check things like your server patching, login attempts, and malware detections as well, and respond quickly.
  • Secure Coding – if your web developers are not coding securely, either give them training, or get a developer that know what they’re doing.  While your project’s budget may be limited, do consider the implication when the site gets hacked – will your organisation be able to afford that?
  • Scan your site –  before you go live, do a thorough security assessment of your website.  Using Kali Linux, OWASP ZAP, and various other tools, you can get a very good sense if your site is ready for production.  You could also employ a professional pen-tester to determine the security of your site.  Don’t be afraid to ask for help.

ISO27001’s Annex A has 114 controls that are all very relevant and valid.  These are my top controls that would already provide you a lot of protection.

What do you think – which controls do you think would also add value?

About: massyn


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.