So, When was Your Data Breach?

March 24, 2015

by Jay Irwin, JD, Director, Teradata InfoSec COE

2015 barely got underway and it happened again, more breaches of customer data kept by large companies. Journalists said 2014 was the year of the data breach, but hold on, here we go again. Security experts are not the least bit surprised. Neither should you be. There is simply no reason to predict an end in sight to this fully engaged Cyber War of data breaches directed at companies large and small. Not yet. Likely this is because there is no evidence of an awakening in the business community about the realities security breaches weigh on them: stolen consumer data, identities, and intellectual property; lawsuits, fines, penalties; and, the big two, the cost of notifying your customers that you’ve had a data breach, and the loss of reputation your company will suffer.

Sso, when was your data breach? In case you don’t already know, it’s probably already happened or is happening to you right now. In case you don’t already know, more than 68% of data breach victims learned of their breach from federal authorities or their bank. “Hey, your customer credit cards are for sale on an Estonian underground website!” Awkward! 

Folks, you do not have to let this happen to your company or its customers. Say NO to this. Keep your shareholders and customers happy and liking you. Keep your jobs. I am perfectly serious about this. Let the awakening begin! 

Why are You a Target?

Simply, it’s because you have stuff you invented and customers who buy your stuff. Customer identities can be stolen and monetized on the cyber black market. It’s because you brought cool things to the world that people want so they give you money for it. Others would like to steal that coolness, making and selling it cheaper the next day. This goes to the very heart of why you are in business, e.g., without customers and things to sell them, you are not in business. You are out of business.

How Can I Stop a Data Breach at my Company?

A question with answers, so here goes. Assuming you are lucky enough not to have already suffered an exfiltration of data (exfiltration of data = breach), you can engage in an enterprise wide security footprint strengthening program without turning your workplace into a prison-like environment. But one word of warning, the set of strategies and defenses about which I am about to tell you WILL NOT WORK unless you do something else first. Instill in your workforce a strong pride of ownership that ties directly to each of their individual contributions to the success of your enterprise. Your workforce constitutes 100% of your invention assets, your manufacturing assets, your service, delivery, satisfaction, quality, on and on. All your assets. So when and only when they believe in the company they work for and have pride in their job, they’re part of its success, will they happily drive the security of your assets on a daily and permanent basis.

Anatomy of a Breach

Okay, sermon’s over. So, let’s talk about how many companies suffer a data breach. We’ll take a simplified look at an advanced persistent threat (APT) malware operation that would, if successful, result in a data breach to your company. An APT operation usually consists of several steps, often called a Kill-Chain.

These include:

  • Reconnaissance
  • Infiltration
  • Weaponization and delivery*
  • Lateral movement
  • Identification and control of target data, and
  • Exfiltration of the data (BREACH). Somebody please call security‼!

*Delivery and execution of a malware payload often occurs during several of these steps, which May Be over a long period of time so you will miss it.

How they Usually Get In

Bad guys are patient when they smell a payload of money so they often take a lot of time to check you out before attacking. They find weak points in network architecture and security practicies. Then they steal someone’s credentials, log-in, and go to work.

I’m Game. Let’s Stop the Kill-Chain

So, here’s a list of some best practice topics for processes and/or principles that must be put in place and paid vigilant attention by all:

  • Safe Social Networking
  • Careful Email handling
  • Workers as Aware and Active Conduits of Open Source Intelligence
  • Worker Daily Operational Security
  • Credential Theft Protection
  • Building and Boosting Threat Awareness
  • Secure Credentialing and Multi-factor Authentication
  • Giving Users no More Access than Needed to do Their Jobs
  • Teaching awareness of Spear-phishing and Malware Delivery
  • Implementing Host Intrusion Prevention Systems (HIPS) with Alerting
  • Audit Event Logging, Monitoring Systems and Alerting
  • Threat vectors, Threat scape, and Malware
  • Improving the Triage of your ThreatCon
  • Listen to and Take Fast Action on Alerts, Anomalies & Warnings ALWAYS!

How to Approach Refortification

If  you are one of the many unfortunate to incur the wrath of breach, below is an inclusive list of things you can/should/must do to get your lights going green again:

Risk Assessment Refresh.

  • Review your last risk assessment (if any)
  • Identify new risks in your environment
  • Identify new risks in peripheral analytic tools
  • Establish, review, improve an enterprise identity management scheme
  • Create a breach process within incident management
  • Strengthen governed, enforceable security policy, standards and processes
  • Align your industry and data to applicable compliance regulations
  • Create an aggressive remediation roadmap with executive commitment

Vulnerability Management.

  • Regularly perform server operating system scans
  • Remediate known and zero day vulnerabilities
  • Permanently harden server operating systems
  • Segment the network into secure zones according to risk/value
  • Review and rehab firewall rules
  • Fortify logon restrictions
  • Port scan the network (it will trip a lot of alarms and you want this)
  • Pen test the network to see if you can break-in (You need to know this)

Database Security Management.

  • Turn on and configure database logging
  • Export logs to security information event manager (SIEM) tools for analytics
  • Hunt in crash dumps for debugging and undetected malware
  • Review provisioning process lifecycle
  • Review user roles and profiles to detect and reverse privilege creep
  • Identify sensitive data needing fine grain user access control
  • Encrypt, tokenize, mask or obfuscate sensitive data while in-transit or at-rest

The Road to Refortification after breach is a challenge that’s necessary to continue in business. But it sure beats needing to polish your resume.

Next time I’m in the neighborhood we’ll have a look at the state of the art in solutions that can be deployed separately or together to detect and interrupt the kill-chain…

Jay Irwin is Director of Teradata’s Information Security, Privacy and Regulatory Compliance Center of Expertise (InfoSec CoE). The CoE provides security assessment, architectural design and control implementation services to Teradata customers.

Leave a Reply

Your email address will not be published. Required fields are marked *


*