If you plan for breaches to happen instead of focusing solely on trying to prevent them, what changes?
Everything. Merely dealing with threats as they surface is no longer enough, according to Trend Micro’s 2014 Annual Security Roundup, “Magnified Losses, Amplified Need for Cyber-Attack Preparedness.” Acting on risk assessment results before security incidents happen is more beneficial.
Start with the biggest cause of last year’s breaches — malicious outsider attacks exemplified by POS-RAM scraping, says Trend Micro. These were the attacks that struck Home Depot and Target.
RAM scrapes can be viewed as a variation on zero-day exploits, in which hackers take advantage of software vulnerabilities previously unknown to the company. Trend Micro vividly defines them as “gaping security holes left unpatched in widely used software and platforms.” Heartbleed and Shellshock proved that open-source products, especially Linux and UNIX, were highly vulnerable to these zero-day attacks. That was despite common belief that they were more secure, or less targeted, than commercial operating systems such as Windows.
That vulnerability makes a good case for using a software-as-a-service model from a reputable company, Trend Micro says, and we couldn’t agree more. This pushes the security burden and software updates to a team adept at staving off attacks. Although SaaS models may also have a difficult time defending against zero-day attacks, the vulnerabilities become their problem and not your team’s. Their team will usually have more resources and expertise at dealing with the SaaS threat than yours does. Therefore, using a SaaS model gives your team more time to work on other internal vulnerabilities. (3Delta Systems’ Payment WorkSuite payment gateway and CardVault tokenization solution are both SaaS models.)
But if you do use open software, how can it be hardened against attack?
“Open-source initiatives can greatly benefit from a more stringent review process in keeping with quality assurance as part of a good software development lifecycle,” Trend Micro said.
Commercial software obviously needs the same diligent reviews and attention to quality assurance before shipping. Malicious outsiders get updates on commercial products’ vulnerabilities at the same time legitimate users do. Because hackers wait for these weaknesses, they can pounce immediately. Busy company IT departments have other priorities that always appear more urgent than patching software.
Because most IT departments have more work than they can handle, Trend Micro said, “affected companies and individuals should consider technologies that can provide virtual patches for vulnerable software before a vendor does so.” There’s no need to wait for a breach — preventive use of these technologies seems smart.
Data loss accidents
After hackers, which accounted for the greatest number of data breaches in 2014, Gemalto’s “2014 Year of Mega Breaches and Identity Theft” report identified accidental data loss (i.e., employee mistakes) as the second biggest category. “It’s a bit perplexing that so many breaches could be caused by accident and shows that companies need to do a better job of preventing mishaps that can lead to data loss,” Gemalto commented.
Trend Micro and the Ponemon Institute’s “Second Annual Study on Data Breach Preparedness” echo this suggestion, with Trend Micro calling for “stronger password management policies and employee awareness training” and Ponemon advising that “more companies need to have training and awareness programs. Employees who are not made aware of their responsibilities when handling sensitive information or answering questions about steps to protect customer information can be the company’s weakest link.”
Malicious attacks and unaware employees produce most breaches, but the real issue is that most companies simply aren’t prepared for them. The Ponemon Institute reports that organizations’ primary tools for protecting data need additional support.
Hackers at work
Ponemon recommends security-incident and event-management technology, combined with continual monitoring and analysis of net-flow and packet captures. This tech can spot weird data packets and detect the massive network traffic that shouts “hackers at work.”
That technology is just a piece of what Ponemon identifies as a best practice for data breaches: a comprehensive plan for your organization to deal with it when it happens. In other words, if your organization knows what to do as soon as a breach occurs, it doesn’t waste time trying to figure out what to do before taking action. Such a plan includes ID’ing the primary authority for directing events when the alarms go off — a key cog that’s often missing and leads to confusion, wasted time and potentially greater data loss when hackers strike.
To top it off, many companies do create breach plans. Unfortunately, the plans then just gather dust, rendering them worthless.
“Regularly reviewing, updating and practicing a data breach plan based on changes in the threat landscape and a company’s structure are essential for properly managing a breach,” Ponemon said.
To learn more about protecting your data with software-as-a-service and tokenization, explore 3DSI’s CardVault.