Do You Need a Security Buddy?
In early June, Citigroup acknowledged yet another major breach of confidential customer data. It was the 251st such public notification this year, and could put us on track to exceed the 597 improper disclosures from schools, government agencies, and businesses in 2010.
According to an article in USA Today, cybercriminals are now "actively probing corporate networks for weaknesses," and businesses face particular pressure to let the public know when they've been hacked. Citigroup, in fact, was criticized by US Representative Jim Langevin for taking a month to notify customers after noticing the most recent breach, which was discovered during routine monitoring. Customers' names, account numbers, and e-mail addresses were all compromised.
Citigroup joins major global companies like Sony, Epsilon, Nasdaq, PBS, Google, RSA, Lockheed Martin, L-3 Communications, and Northrop Grumman in being the victim of a cyberattack. Companies are more forthcoming about breaches due in part to data-loss-disclosure laws that are now in force in 46 US states. Public companies must be especially up-front with such disclosures: Data breaches can obviously create a negative impact on business, and failure to disclose such impacts can be a violation of SEC rules and invite shareholder lawsuits.
A recent survey by Ponemon Institute and Symantec estimates that data breaches cost, on average, $7.2 million to put right – and those costs continue to climb. They're in addition to fines and fees imposed by industry groups and government legislation, making data breaches tremendously expensive.
Let's face it: We tend to give a lot of lip service to security, but you and I both know that most organizations' security, under the hood, can be pretty haphazard. Are all the permissions on your files and folders truly accurate? Group memberships all up to date? Are you sure? Is your firewall configured properly – no unnecessary holes? Is the software up-to-date?
Look, having security flaws is almost unavoidable, simply because most products' native tools do a very poor job of letting us manage security. Go through every object in Active Directory and tell me if it has the correct permissions. Go ahead, I'll wait. You'll be a while if you're using Active Directory Users and Computers to check. Even Windows PowerShell offers fairly primitive tools for monitoring and modifying permissions, in part due to the highly-distributed and extremely-complex permissions structures that Windows products tend to use.
But the newspaper headlines make it clear that we'd better get on the ball. In general, you're going to need to implement three broad capabilities:
- Protect. You need to be able to apply the proper permissions to resources, proper configuration to security elements of their infrastructures, and maintain those settings over time.
- Inspect. You need the ability to continuously monitor and audit your environment to ensure that the proper permissions and configurations are in place.
- Detect. You need proactive monitoring and alerting to let you know when a problem does occur, so that you can take remediation steps and make the proper disclosures.
In many cases this is going to require the use of third-party tools from independent software vendors (ISVs). I know, nobody likes to spend money on those things. But you're not going to be able to write a PowerShell script that does it all – much as I wish that were the case. In many cases, you'll need software that gathers distributed permissions and configuration information into a single place, analyzes that to produce reports, and uses that to generate automated alerts when necessary.
Yes, I realize that "you've never been hit." I'm sure Citigroup, Sony, and PBS felt the same way – and they got hit. Hard. Sony along lost millions by having to take their network offline for weeks, not to mention the public relations disaster. And that was one attack. Oh, "you're not a big company, so you're not a target?" Sure, not yet. But you will be, once attackers figure out that you too have a few thousand bits of interesting information on your network and that you're a much easier target than Citigroup or Lockheed Martin.
It's probably time to give your security an quick review. Take your honest opinion to your executive team, along with a proposed plan to put things right. Have your numbers in place: This is what it's going to cost us, and this is what we stand to lose if we don't. Be able to explain why you can't fix it on your own – including, if necessary, a brief demo of why permissions and configurations are difficult to monitor and manage using the in-the-box tools. Most executives simply don't realize how difficult it is, so you'll need to educate them.
Be a security leader.
Posted by Don Jones on 06/13/2011 at 1:14 PM