The market is abuzz with discussions on how the security landscape is evolving and analyst firms are ready with their predictions on the increase in spending on cybersecurity. However, there only seems to be a rise in the number and level of security breaches occurring worldwide. If only small players had been affected, this could be attributed to lack of attention to security practices, inefficient management of available resources or even inadequate investment in security products. But so many recent breaches have affected the biggest players in the market like Yahoo, Equifax, HBO, Sony, LinkedIn, MySpace, ebay, etc. to name a few.
To make a bad situation worse, the company did not report the incident to regulators or to affected customers at the time, but paid off the hackers to keep the breach under wraps. Even if we ignore the mayhem that this breach cover-up is creating, it is overwhelming how poor security practices by are making everyone susceptible to such intrusions.
In its latest findings of the Breach Level Index, Gemalto revealed that 918 data breaches led to 1.9 billion data records being compromised worldwide in the first half of 2017. Considering that such big companies have suffered massively, one wonders whether solutions available in the market are simply not good enough or something remains essentially wrong with the manner in which security practices are employed.
There was a time, back when we used Windows 95, when all you had to do to login was press the ESC key. Over the years, secure practices had to be built into Windows since it was never present to begin with. This indicates how the threat landscape has evolved to necessitate the need for security to safeguard every aspect of technology that we use.
Morey Haber, VP Technology, BeyondTrust stresses that none of the security solutions, even when layered together perfectly, are 100% effective. “Remember, we are human. Humans make mistakes. The applications, defences and implementations can have obtuse flaws that are just waiting to be identified by a threat actor. The important takeaway is that no security solution is perfect,” he added.
Mario M. Veljovic, General Manager, VAD Technologies presents another perspective saying that the exponential increase in the sheer amount of data has made it lucrative for attackers to get hold of. The consumption, sharing and analysis of data is what drives businesses but this adds to the security risk if not managed properly.
Another reason for the continued breaches, according to Veljovic is that while many security practices are being deployed, they are not updated regularly to effectively combat today’s rapidly evolving challenges. “Most customers expect their investment to give them protection for a certain period of time but fail to realise that these days this cycle is becoming shorter and shorter. As the threat landscape changes, they need to make relevant upgrades without losing any time,” he added.
It is now understood that being breached is not a question of ‘if’ but ‘when’. Since organizations are failing to employ proper internal security practices, they are not able to identify when processes are not working and are causing unnecessary risk. Even when a breach is detected, it can often go undetected for a long time. However, just because breaches are inevitable doesn’t mean no action can be taken.
The solution to this dilemma lies in making the value of data useless to hackers. When it comes to safeguarding data, it is imperative to make defences stronger so that it is harder to steal sensitive information. This can be done by having better identity and access control techniques, multi-factor authentication and the use of encryption to secure sensitive data. Also, this data should not be stored in one place in its entirety and organisations must monitor who has access to sensitive information.
“Traditionally it was enough to have preventive controls like firewalls, IPS, endpoint solution, etc. Now organisations need to bring their security operations to maturity by employing preventive controls, monitoring these controls for suspicious activity, implementing an incident response plan and having predictive controls in place that utilize information gathered from past experiences,” said Majid Khan, MSS Architect and CSOC Manager, Help AG.
Another vulnerability that hackers take advantage of is password re-use and once they have access to an internal mailbox, it’s trivial to phish internally and escalate privileges on the network.
According to Haber, it is not possible to identify one entity as culpable for the loss of data during an attack. Of course, the threat actor is ultimately accountable but targeted attacks using nation state scaled tools will almost always get the desired data; even with near perfect defences. “You cannot hold the cyber security defence team accountable when they tried their best. If you did, no one would ever want that job,” adds Haber.
To add to Haber’s opinion, Veljovic states that it is ultimately the customer, who must ensure that he is working with the right reseller, employs the right staff and selects the best solution. In the event that a breach still occurs, customers need to take full responsibility and be accountable themselves.
It is clear that the security practices employed may never be enough but vigilance is the key. Security teams must remain alert to the changing threat landscape and invest in fundamental security controls and practises to monitor access to highly sought-after content and protect it in the event that a breach takes place. Finally vendors have to realize that the data they process, the operating systems they depend on, the applications that drive their business, are all vulnerable and they need to add security to protect against the innovative methods that threat actors are using to gain access.
While a number of advanced and preventive security products, solutions and services are available in the market, yet data remains vulnerable to repeated attacks that are rapidly increasing in frequency. It seems like it’s only a matter of time before a company experiences a data breach, whether it be large or small. This speaks volumes about the amount of work the security industry still needs to do.