In the past few years a number of high-profile data breaches have garnered widespread media attention resulting in greater general scrutiny and awareness of the need for network security. Legislators, in particular, have taken notice, evidenced by a number of efforts aimed at addressing these crimes, including the Cybersecurity Information Sharing Act that was controversially passed into law in December 2015. The truth is that these types of efforts will likely have a tremendous impact on how information security is handled over the coming years – possibly more than anything that hackers and identity thieves themselves will do – and the combination of these and other factors will significantly affect how CSOs address cybersecurity in 2016 and beyond. Fortunately, CSOs can educate themselves about a number of factors and issues to be better prepared to combat the myriad threats they face.
To begin with, CSOs must think carefully about where data will be stored and sent, which solutions they will employ to do so, and how multi-nationals will operate as a result of rapidly shifting politics around privacy, encryption, espionage, jurisdiction, and more. For example, Edward Snowden’s revelations about NSA spying has led to demand for more and better encryption on consumer and commercial products while also contributing to the end of the Safe Harbor Privacy Principles that enabled U.S. companies to self-certify compliance with European Union Data Protection Directive and Swiss requirements for privacy; the policy was declared invalid by the European Court of Justice in October due to concerns that the U.S. government was collecting information in violation of the privacy directives regardless of the statements made by the U.S.-based companies handling the data.
Meanwhile state and federal privacy laws require the use of encryption to protect personally identifiable information from identity thieves while the U.S. Department of Justice is advocating for backdoors to be inserted into encryption products so that the government can eavesdrop on communications in order to detect and prevent crimes and terrorist acts. In spite of this, the U.S. State Department contributes to the TOR encrypted anonymous relay service that is used by dissidents under oppressive regimes and online criminals alike.
These are truly confused times where various branches and levels of government are pulling in opposite directions on the topics of security, encryption, privacy and responsibility.
It is well-understood that some governments are involved in hacking – whether to conduct espionage or sabotage – but the U.S. and UK governments in particular are actively attempting to work around the challenges posed by the Internet’s security infrastructure in their efforts to eavesdrop on encrypted terrorist, criminal, foreign intelligence, and other messages. Thus far they seem to have taken a “collect everything” approach regardless of the consequences. The potential impact of these efforts on business puts CSOs between the proverbial “rock and a hard place.”
On one hand, organizations have legal and/or contractual privacy obligations to their customers and business partners to protect sensitive data. At the same time they face the threat of being prosecuted by their own government for violating some nebulous, unwritten set of national security directives by not turning over information or the being hacked by their own government if their systems could provide a convenient conduit to another target. Companies that provide networking, telecommunications, and security infrastructure or services in particular must be wary as state-sponsored attackers, including the U.S.’s NSA and UK’s GCHQ, have been known to exploit otherwise innocent companies in order to leverage them for attacks on other targets, networks and systems.
This is further complicated for multi-national companies when privacy and national security laws may end up in opposition, as was the case with the use of National Security Letters to quietly collect otherwise private data from U.S. companies and Europe’s Safe Harbor principles to protect the privacy of information being handled by U.S. companies. If a number of countries were to pass laws requiring organizations to, for example, provide a backdoor to their encryption (as China did in December 2015 and various departments within the U.S. government have proposed following the Paris and San Bernardino attacks), this would open yet another potential infiltration point (or multiple points) for hackers to breach and access sensitive operations and security data. This would also likely conflict with privacy laws in other jurisdictions exposing companies to liability for failing to secure the data. This is something CSOs, particularly within multinational companies, must be aware of as the debates about privacy vs. backdoors unfolds and legislation is developed.
ICS and IoT Security
Among the methods hackers employ is exploiting a variety of networked devices besides traditional servers and workstations to either gain access to a network or cause damage. Among the devices hackers have had a degree of success with are Industrial Control Systems, i.e. the hardware and software packages that control and monitor physical infrastructure like power plants, factories, and city infrastructure, and IP connected embedded devices now commonly referred to as the Internet of Things, e.g. IP cameras, medical devices, and automobiles.
These types of devices are vulnerable often simply because installers or end users failed to change default factory security settings or passwords, which can easily be found online, or because devices are running outdated software that is riddled with vulnerabilities and can be exploited to gain access. Many of these types of devices are inexplicably exposed directly to the Internet where they can easily be found and exploited by an attacker.
The danger here is not only that the device can serve as a gateway to accessing the overall network, but that it also poses a risk of massive physical damage. Once a device has been hacked, individuals may be able to control or disable it to cripple real-world infrastructure.
CSOs must pay close attention to these types of systems, that are often overlooked by IT personnel because they don’t fall into the traditional server/workstation model, and make sure that all possible security measures are applied to networked devices and that they are shielded from potential attackers.
Many organizations outsource data processing and storage, often ostensibly transferring security responsibilities to these third parties as well, but that on its own is not a viable solution because it doesn’t insulate a company from negative publicity resulting from a breach of its data, even if that data resides with a third-party. We saw this last year with the Experian/T-Mobile breach. While it was Experian’s systems that were breached, it was T-Mobile’s customers who had their data stolen, therefore, it was T-Mobile who ended up in the headlines, weakening trust among its customers and the public in general.
The lesson here is that CSOs must more thoroughly vet the organizations and vendors with whom they share sensitive data. You can’t pass the buck or blindly trust that a third-party will apply appropriate security measures to shared data. This certainly applies to companies that rely on the cloud as well because in reality, “the cloud” is just the fancy term for storing data offsite on someone else’s server and often relying on the provider for security among other services.
Moving forward, organizations must pay more attention to monitoring networks and generating alerts when signs of breaches are detected. While preventative measures are paramount, it’s impossible to keep every attacker out every time. A determined attacker can usually breach a network’s perimeter, so detection and immediate action is essential.
Only an ongoing monitoring program covering system activity and network communications can detect anomalous activities that can indicate an ongoing breach and allow an organization to stop attackers once they get into the network, hopefully before they can do any real damage. Security technology solutions can help streamline this process by aggregating log data and alerts, but many organizations are lured in by the promises of security device vendors without budgeting for the care and feeding that these devices will require. Having a human team that can tune these products while investigating and responding to alerts is absolutely necessary in order for them to be effective. This is a time-consuming activity that requires trained personnel on call 24/7. This is a commitment that all but the largest enterprises may not be ready for, in which case managed security services should be considered.
Network segmentation, separating critical systems from others within the same network with strong security measures, is key because it provides more locations where the network can be monitored and establishes chokepoints that can slow an attacker down as he attempts to move from an initial entry-point to other systems containing sensitive data.
The effectiveness of monitoring depends on system logs and alerts complemented with ongoing network behavioral analysis that can detect anomalous activity. For example, if systems that have never communicated suddenly start exchanging large amounts of data, that is a likely indicator of a breach. Similarly, if network activity that typically only occurs during business hours appears during off-hours it should be considered a red flag. Many organizations don’t have this level of visibility into their network today.
Rather than waiting for hackers to expose security vulnerabilities or the ineffectiveness of their ability to monitor the network, CSOs can turn to third-party consultants who will conduct penetration testing to detect and analyze vulnerabilities the same way a real attacker would, allowing organizations to proactively find and address these areas of weakness. True penetration tests should go beyond the basic vulnerability scans than many organizations are currently conducting by actually attempting to exploit vulnerabilities that are detected within the network in order to capture sensitive data. Tests can and should also include other tactics commonly used by real attackers like phishing, physical infiltration of facilities, and searches of the Internet for leaked passwords or other sensitive data. Custom applications are an area of particular concern as they often contain vulnerabilities that are hard for scanners to detect automatically but that attackers can easily find and exploit.
These types of technical assessments only skim the surface. In order to make better informed decisions about how the security budget should be allocated, the CSO should be aware of overall risks to the organization. This data is gathered in the form of a risk assessment that weighs the potential cost of a particular type of incident with the expected frequency with which that incident can be expected to occur. Some organizations take a highly subjective shortcut approach to risks assessments but thorough methodologies like NIST SP800-30 and ISO 27005 exist to help an organization make an objective assessment.
Without question, recent data breaches, including the resulting media coverage and legislation efforts, have placed greater scrutiny on how networks are protected. Just as hackers are relentless in their ongoing attempts to attack organizations’ networks, CSOs must be equally vigilant in ensuring a strong security foundation that will enable more effective detection, mitigation and recovery from potential breaches. Awareness of current and future legislation, careful consideration of vendors with whom data is shared, network monitoring and recognition of the wider-ranging impacts data breaches can have on multiple systems are just a few of the ways CSOs can gain insight into the security of their networks and systems. Then, they can take the appropriate steps to protect their organizations from the very real threats they face on a daily basis.