Three Key Principles of Security: How Many Are Your Following?
By Buzz Hillestad
Sixty three percent of all cyber-attacks are perpetrated by criminals who want to steal the data to sell or monetize it. The fraud markets around the world are teaming with money as electronic files have made it much easier and much more lucrative to commit certain types of fraud. Why is it so easy for criminals to steal data? What can we do to make it tougher for them?
Let’s take a look at a recent case to see where there might be some indicators of what IT security is doing wrong.
Four and a half million people had their medical information stolen in a recent cyberattack on the UCLA Health System. An article in the LA Times about this story had this quote: “…there is no indication that any information was stolen, the hospital system said, but it couldn't rule that out.” They were able to ascertain that the attackers had been in certain spots of the network but did not know whether or not anything was exfiltrated. It’s very possible - and likely - that it was.
Detection is key!
This is the first big problem in security today: Organizations have no way to monitor what is leaving their networks. Data loss prevention systems, second gen firewalls, and log correlation can make a forensic investigator out of a savvy IT person. These technologies need to be present in enterprise networks. Otherwise, you will be left scratching your heads like UCLA was.
According to The LA Times, “UCLA Health has been investigating suspicious activity on its network since October, but the intrusion wasn't confirmed until May.”
Response is key!
Time to detection is a huge issue in the industry, as well. It’s not just about whether or not there is suspicious activity going on. You also need to be able to very quickly determine who, what, when, where, why, and how. Log correlation and alerting along with intrusion detection systems are necessary for enterprise networks for this very reason. Having a good incident response strategy and protocol is also key. If UCLA detected intruders in October, why did they not go into incident response mode immediately? Why did they not figure out the root cause of the incident and fix it? Seven months is a very long time to have attackers roaming around on your network exfiltrating data at will.
Layered security is key!
Lastly, why are attackers so easily getting into IT networks? The answer can be found within the UCLA story again. They couldn’t stop the hackers, they couldn’t detect them initially, and they couldn’t respond to them well. Why? Because they did not have a layered security approach.
If you think of each security control that you have in your enterprise as a speed bump, you might start to understand layered security. The more speed bumps the more time you have to detect and respond to the incident. The vast majority of clients I work with initially stake their entire existence on 1 or 2 technologies or speed bumps. We have to change this problem. We have to make it tougher for these attackers to make their dollar.
We are losing the war against hacking. It doesn’t have to be that way. Criminals always take the path of least resistance to make their money. Currently, electronic fraud is so easy that we have cases of drug dealers and mob bosses converting their businesses over to electronic fraud. The black market fraud players group grows on a daily basis.
We have to increase our detection rates, have an appropriate response to incidents, and have as many speed bumps in our enterprise networks as budget will allow. The time to start using these three principles is now.
Buzz Hillestad is a Principal Consultant at Helix in South Dakota.