Responsible network managers need to acknowledge that attacks leading to data breaches do happen and plan accordingly. By focusing on the fundamentals of best practices, they can control the breach and limit the amount of damage.
In the wake of numerous high profile data breaches, I talked to security expert Eric Cole of the SANS Institute to pick his brain on what organizations can do to stem the tide of data theft attacks. Cole believes that people aren’t focusing on the fundamental actionable things that their organizations can do to be able to minimize and stop these types of attacks from occurring.
“Whenever a major event occurs, somebody always wants the name of someone who is responsible as well as a quick fix of what went wrong,” says Cole. “In the case of Target, people are saying one of their vendors didn’t have a system that was secure and that was the reason that Target got compromised.”
But when you really look at it, Cole says there is never a single reason why organizations get compromised. “There are always many things that go wrong, and simply saying a third-party vendor didn’t have a secure system is really overlooking the fundamentals of what is really needed to secure, protect and lock down an organization.”
One of the first things organizations have to recognize is the bad guys are going to get in. “An organization expecting that it is never going to get compromised is as naïve as a person saying he is never going to get sick,” Cole says. “It is going to happen, so we need to put more energy and effort on minimizing the frequency at which it occurs and minimizing the impact it has. For example, if Target got compromised and there were only 5,000 credit cards stolen, that would be a completely different news story than the more than 100 million accounts that did get compromised. It’s important to find that balance of recognizing that things will happen but controlling the overall impact.”
With that backdrop, Cole says a return to the fundamentals would greatly reduce the likelihood of data breaches:
* Asset identification – When you look at recent breaches, it becomes apparent that organizations don’t know what is on their network. Cole doesn’t believe Target, for example, knew there was a third-party system directly connected to its core network. When it comes down to asset inventory, organizations need to control, manage and understand what is plugged into their network. There shouldn’t be any surprises. They should be aware of any device that is plugged in. They should understand the interconnectivity and minimize and control how much access it has.
* Configuration management – Every device plugged into that network needs to have proper configuration management. The network managers need to know how those devices are configured, secured and locked down. Cole can’t imagine that Target had any idea how the system from the HVAC vendor was configured and whether it introduced exposures or vulnerabilities. He surmises that if Target would have tied the asset inventory with the configuration management, they would’ve been able to recognize and possibly proactively either fix the issues or put the third-party’s system on a separate VLAN in order to minimize and reduce the exposure that that attack would have in their environment.
* Change management – Knowing every device and having proper secure configurations on those devices doesn’t do any good if changes can be made that the network managers are not aware of. Cole says it’s critical to have strict change control where all changes go through a formal process in order to maintain a proper security posture.
* Data discovery – Cole says organizations need to know where their critical data is located. “One of the big flaws in a lot of these retail breaches is they had no idea they had information stored on servers in plain text and unencrypted. That was a big failure component.”
* Network segmentation – If we assume that networks are going to get broken into, then a good way to limit and control the damage is with highly segmented networks. “By having each system on a different network and different segments with limited visibility, now if a system gets broken into, it would make it that much harder to do large-scale damage,” Cole advises.
Looking back to any of the major retail breaches, think how different the outcome could have been if…
• They had known what devices were on their network, and
• They were able to properly configure those devices and control changes to them, and
• They tracked where their data was, and
• They had highly segmented networks to prevent an attacker from going anywhere he wants.
The attacks might still have occurred, but they would have been smaller, more controlled and more limited in terms of damage.
Linda Musthaler (LMusthaler@essential-iws.com) is a Principal Analyst with Essential Solutions Corp. http://www.essential-iws.com) which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.