Securing the System: The Forest or the Trees?

Security often fails due to weaknesses in processes that have nothing to do with Technology. The Epsilon database highlights our need to look at security as as system.

How many emails did you get last week, telling you that your name and email address was compromised as part of the Epsilon database hack? Chances are you have done business with one or more of the large companies that utilized Epsilon's email marketing services. While the information disclosed was not overly sensitive, when used in context with the company names that the emails were harvested from, you open the door for some really effective Spear Phishing attacks.

I don't know the details of how the attack happened, what controls failed, or the vulnerabilities that were exploited. The actual breach itself is of less concern to me than how we can learn from dealing with the fallout. The propeller heads among us will immediately start pouring through the security devices looking for ways to strengthen the network defenses. While this is an important part of protecting a network after a breach, it's an example of staring at a single tree when you are in a huge forest full of some really massive ones that could fall over on you at any moment. Security assessments are often conducted in the same manner. All of the attention is paid to points in the network and not to the security system as a whole. Security failures more often than not occur in process, which would not show up on any vulnerability scan. If we don't start looking at security a bit differently we will continue to get knocked in the head by these big tree limbs.

The other area that this attack highlights is some of the risk that can occur through outsourcing. When you have such a large service provider like Epsilon, with hundreds of high profile customers they become an irresistible target for attackers. Companies in the spotlight like this have to have flawless execution in security process, procedure, and technology and maintain constant vigilance. This attack could have happened to anyone, but results of the attack are magnified by the fact that multiple customers were involved. I am sure this will cause a number of uncomfortable meetings where organizations will have to rethink their external email marketing outsourcing contracts and some companies may even bring this function back in house.  

So Epsilon got hacked, now what? We know that names and email addresses were compromised, which opens the victims up to targeted phishing where evildoers generate emails that appear to come for the companies that collected the addresses originally. One of the most important countermeasures to reduce the risk of phishing attacks is having a solid email security solution that can ferret out and block the spoofing techniques that phishers use.  Cisco's Ironport Email Security Appliance is an example of a product that can stop this kind of stuff before it ever reaches the recipient. The ESA will analyze each url that is present in an email to make sure that they are legitimate and not point to some malware hosting site. One of the best (and free) countermeasures for fighting phishing is simply user awareness training. Use this as an opportunity to educate and re-educate users on common phishing techniques. You can't always rely on broken English or poor graphics to spot a phish, some of the emails are very professionally written and often link to the same images that the real company uses in its marketing.  Just following good email security practices can go a long way to neutralizing these threats.

What do you think will happen because of this attack? Business as usual or will you rethink your external marketing services? Inquiring minds want to know!

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT