Breaches, Hacks, and Data Theft! Oh My!

The past several years have seen an incredible increase in the security threats targeting businesses, and the results haven't been pretty.  The news has barely scratched the surface of all the major companies hacked / breached / data leaked... whatever term you want to use, they all mean the same thing...

Their cybersecurity and IT Security Architecture Failed!

When companies like Kia Motors, Apple manufacturing supplier Quanta, and even the NBA - sends a clear message: Cybersecurity is integral to businesses.  And ignoring the reality of new sophisticated attack vectors, constant zero-day threats, and the waning capabilities of traditional Antivirus & Firewall solutions, we are left with the question: What can we do?

This is why the statement Security is a process, not a product is so important to understanding the methodology and approaches of being a successful Cybersecurity engineer.  We have to protect businesses from attackers, but most importantly - from themselves.

What do I mean by this?

  • A huge percentage (approximately 94% or so) of Ransomware attacks still come from email.  There is only so much that can be done to train users, increase email filtering technologies, and generate automated policies to handle these threats.
  • Insider threats are increasing year after year - to the point where maybe a 33% of data breaches have an insider component.  This could be due to negligence, or to actively trying to exfiltrate data - but regardless insider threats are increasing.  The reason for this is simple - data is proving to be valuable, as shown by attackers, so employees are becoming more and more willing to risk their livelihood by stealing key data from their employers to make money.
  • Unintentional data leakage is also becoming a problem.  As we handle a workforce that is trending remote, we have to handle the security threats from devices we do not manage.  Security threats from routers, different computers on the network, tablets, mobile devices, and even insulin pumps are all potential threat vectors within a network.

And due to the increase of all of these potential threats, and the influx of money and capable hackers into the space - we are left with the question constantly being asked: How can we stop it all?

What we can do, is take actionable steps to resolve problems before they occur, and having processes in place to handle inevitable human failures.  In plain English - plan out what happens when things fail.  If you don't know what happens when your Cybersecurity fails, then you don't know the full extent of what to prepare for, and how to handle it.  Do you have a plan of attack for what happens in a Ransomware attack?  Do you do "cybersecurity drills" or anything to verify you aren't at risk from phishing attempts or other outside methods of attacks?  Do you have a means to monitor actions of potentially malicious employees within your environment from leaking data?

Additionally, what is becoming a very important answer to many of these threats is having actions that take place when the cybersecurity threats evade all normal methods of protection, and infect a system - how quickly do you respond?

Managed Detection & Response solutions, or XDR, or whatever solution that will report to a business in case of a risky behavior or application getting past security come in all different shapes, sizes, and value.  Not all are made equal, and very few can do things such as "immediately take action to detain or shut down a potentially infected system"!

And I'm saying this from experience.  Having done dozens of Ransomware Risk Assessments and various forms of security health checks, the amount of times I've seen a company using the "best of breed" security solutions and reporting solutions discover an attack during my investigation is stunning.  Half the time it is because of security policies having too many exclusions, but sometimes it is as simple a reason as an alert being "suppressed" because it was noisy... an alert that ended up telling a company they were in the midst of a hack for over 6 months in some cases!

So, what can you do?

Well, I'd first see if you have a security coverage that is 24/7/365 - no matter whether you have someone in the office or not - and have trained security engineers who know how to analyze the threat data properly and draw the right conclusions from it.

Second, I'd hope that you've tested this security, and keep testing it even in the face of success.  Knowing you've properly installed the technology is one thing, verifying it works is another.

Third, I'd hope you have a plan for if it all falls apart.  Or, even better, a layered security approach that plans for this eventuality and has technologies in place to halt a breach in its tracks!

If you don't have those standards, there's a dangerous game being played, one where you are hoping to get hit by a security threat during 9 AM - 5 PM Monday - Friday... which is a small hope at best.