Big-name data breaches have earned headlines throughout the past 12 months, bringing issues of security and privacy to the forefront of public discourse once again.
In May, hackers used malware stolen from the National Security Agency to unleash the global WannaCry ransomware attack. Around the same time, attackers exploited a vulnerability in an Equifax web server to steal the credit information of more than 145 million Americans. And findings released in September reveal that hackers in a 2013 Yahoo breach made off with the account information of 3 billion users — three times as many as Yahoo originally estimated.
The financial and reputational risks of such a breach are enough to make any organization rethink its security strategy. Thankfully, IT leaders can learn from others’ mistakes.
The Case for a Multilayered Defense
Most major security incidents in the past decade stemmed from organizations failing to patch known vulnerabilities in their environments.
The May WannaCry outbreak, for example, spread across networks by exploiting a security hole in Microsoft Windows, despite the fact that Microsoft had discovered and released a patch for the vulnerability in March. The more than 200,000 victims of the attack failed to apply the patch in time to prevent the infection and potential loss of data.
Similarly, the Equifax breach resulted from a known vulnerability in Apache Struts. Former Equifax CEO Richard Smith testified before Congress that the Department of Homeland Security notified Equifax of the vulnerability on March 8, and the Equifax security team scanned the environment on March 15 to detect any servers requiring the patch. Unfortunately, the scans did not identify an unpatched server used to support Equifax’s online credit dispute portal. That failure eventually led to the May breach.
One must wonder whether additional layers of defense, such as penetration testing, intrusion prevention or malware callback detection could have identified the oversight or detected these vulnerabilities more quickly. While we’ll never know for sure, what is clear is that patching and vulnerability scans, though extremely important, cannot guarantee security. Organizations must build multilayered defenses to protect themselves from modern cyberthreats, including the dreaded zero-day attack.
Preparing for the Inevitable
Because today’s attackers have the skills and resources to penetrate even the most well-guarded defenses, most security professionals agree that it’s no longer a question of if an organization will be breached but when. Every organization should establish and practice a rapid response plan that outlines communication processes and immediately initiates critical steps, such as engaging third-party experts and investigating the breach.
In the case of Equifax, the firm maintained a response plan but was too slow to implement it. The security team observed suspicious network activity on July 29 but did not engage outside assistance until Aug. 2, four days later. The 2013 Yahoo breach went undetected and uninvestigated for years, causing a new wave of reputational damage when revelations about the breach emerged last month.
The lesson here is evident: Organizations must institute sound incident response procedures that prompt immediate action. They should also keep experts on retainer for when the when happens — after all, CISOs don’t want to find themselves negotiating an agreement for forensic services in the middle of a crisis.
This blog post brought to you by: