Beware data thieves blowing down your house of card

How not to spend a useless fortune on protection

Tweet

Data breaches are a digital woe battering the shores of today’s computing. Every week brings news of more shrapnel from a war in which not enough people see themselves as combatants.

Experts blame poor security, regulators and governments hope that things like the EU General Data Protection Regulation (GDPR) will tame the beast, while large organisations have simply hunkered down for a long campaign.

Data breaches accelerated dramatically in the early noughties, driven by three technological changes: a surge in the volume of data; the agglomeration of smaller databases into larger ones; and the accessibility of these on networks and from the internet.

With hindsight, the deeper question is not why breaches have become more common but why nobody saw them coming.

In 2005, the Privacy Rights Clearinghouse recorded 136 breaches in the US, covering 53 million records. By 2015, the number was 805 breaches and 217 million records for a cumulative total of 5,015 breaches between 2006 and 2016.

And that is only the US, the country with the toughest reporting requirements in the world. The suspicion is that other countries are quietly getting pwned on a larger scale.

The humiliating outcome? According to Vigilante.pw in 2014, there were 183 “dumps” of stolen data listed online.

It is natural to assume that the technical and human frailties at the root of breaches have been addressed, but this is not the case. Despite improvements, the staggering growth of data means that reforms often leave organisations barely keeping up. What is still going wrong?

Poor investment

Ironically, security spending has risen rapidly in the last decade as firms invested in high-capacity firewalls, intrusion detection and prevention, and a raft of endpoint data security. It might seem as if all this spending has come to nothing.

But security infrastructure is doomed to fail if it is simply applied as a remedy after the fact. Gradually, firms have come to realise that security systems are not part of networks, they should be the network: baked in at every level, integrated, automated, and bought strategically rather than as a fix when something goes wrong.

Patch and mend

It’s tediously axiomatic that software flaws are a big problem, but fixing them has become a Sisyphean struggle. Patch availability has improved dramatically, with large vendors rolling out structured programmes and bug bounties, but often these are not applied quickly for operational reasons. Too many old flaws sit unpatched on small numbers of systems, causing a chasm of trouble when they are discovered by criminals.

Figures on the most serious zero-day flaws (vulnerabilities exploited before a patch has been released) reveal that there were 23 across a range of desktop applications in 2013, 24 in 2014 and 54 in 2015. Three quarters of websites, meanwhile, were found to have unpatched vulnerabilities.

Easy entry

Email remains a ridiculously simple way for attackers to get behind the security perimeter. The problem is that regardless of how much filtering and attachment scanning is applied to emails during transit or on PCs, employees must interact with email eventually.

It only takes one booby-trapped PDF or phishing link to launch malware capable of anything from network scanning to credential and data theft and ransomware. The openness of email turns PCs into small islands of risk.

Are credentials too easy to steal or are the mechanisms based on static logins with lousy authentication? Take your pick. Either way, Verizon summed up their central role in countless data breaches in its 2016 Data Breach Investigations Report (DBIR):

“The capture and/or reuse of credentials is used in numerous incident classification patterns. It is used in highly targeted attacks as well as in opportunistic malware infections. It is in the standard toolkit of organised criminal groups and state-affiliated attackers alike.” Sixty-three percent of reported data breaches examined involved the compromise of a credential at some point. This covered weak passwords and default passwords as well as stolen ones.

Check you privileges

Every single public data breach has one thing in common – most of the data was not encrypted. Regulations such as PCI DSS insist that card data must be held in encrypted form, but even assuming this has been competently hashed ( meaning it is not reversible), user data is almost always left in the clear.

Verizon’s 2016 DBIR made the interesting observation that many employees access data they don’t need for their jobs, a red-line risk. This is also about how organisations process data and not simply secure it.

Credentials have always been valuable but in an era of organised, targeted hacking, privileged accounts become the most valuable resource. Numerous large data breaches have this as a common denominator.

Too many organisations have ended up prey to privileged credential misuse because the way credentials were managed developed in an ad-hoc way. Privileged accounts are a vulnerable and precious part of network security and must be handled like bone china.

No breach detection

Even with the best controls in place, breaches will happen, but this doesn’t have to be a counsel of despair. Organisations fill their networks with security tools to block attacks before they develop, forgetting that a better defence is to build on the principle of visibility.

Breach detection processes work on the assumption that data leakage is inevitable. What matters is stopping small breaches turning into large ones, reducing insider threats, and being able to understand the scale of a breach when it is discovered. Currently, too many firms first hear about a breach only when data is posted online or a customer reports a secondary attack.

In a way, organisations have been fighting the wrong war. They thought it was about securing the network when the criminals knew all along that it was about data.

Everyone is catching up with realisation that despite the vast sums spent on kit and software, it’s the crims who understood this best.