WHITE PAPER THE TOP 5 MYTHS OF DATA BREACHES

Transcription

1 WHITE PAPER THE TOP 5 MYTHS OF DATA BREACHES

2 Table of Contents Introduction...3 Who and what is at risk?...3 Myth #1...4 Myth #2...4 Myth #3...5 Myth #4...6 Myth #5...6 Conclusion...7

3 The Top 5 Myths of Data Breaches White Paper 3 Introduction We live in the age of the data breach. It seems from every newspaper and on every newscast we hear about yet another breach of a computer network resulting in the theft of confidential or sensitive information. Even the media outlets themselves have become the targets of these attacks and data breaches. Within the security industry and in society in general we are in a constant search for a solution to this problem. However, many in the security industry have become so disillusioned by failure that they have adopted the opinion that a breach is inevitable and the primary focus should be on detection and response as opposed to prevention. In truth, there is no single, simple answer and giving up is not a viable alternative. The fact that there are no easy answers does not mean we have to accept defeat. And one of the first steps is to recognize that many promoted opinions about the cause of breaches and the failures of technology are actually myths. These myths obscure a clear path to increased security and better risk management. Debunking these myths is an important step to improve the effectiveness of our security defenses against future breach attempts. This paper will expose five of the biggest myths that exist about data breaches, and explain how and why they occur. Who and what is at risk? Who is a target of all of these attacks? In a word, you. Targets can literally be anyone and everyone. Some breaches have nation-state strategic motivations. Others may be politically or financially motivated. Other targets are just low hanging fruit. As more than one attacker has mentioned when asked why they attacked a particular target - because they could. These kinds of attacks are similar to a thief walking down a hallway in a hotel checking doorknobs he is looking for the open one. The room with the open door becomes his next victim. In fact, according to the Verizon Data Breach Report (2013), 75% of breach victims were targets of opportunity. They were not targeted because of who they were or what they had, they were just easy to break into. Depending on the specific vertical of your business, it is more likely than not that you have already been the victim of a data breach. The costs of these breaches are staggering as well. In many cases the cost of the breach is enough to put the victim out of business. Large public companies have lost tens to hundreds of millions of dollars. But large companies are not the only targets of these attacks. In fact, midsize and small businesses are often targeted because they are a softer target. No organization is immune from attack. For many organizations the question should not be what is the cost of securing my network, but rather what is the cost of not securing my network. A first step in this direction is understanding the real risk involved. Peeling away the fiction from the facts. This paper is a first step in that process by exposing what we believe are the five biggest myths of data breaches.

4 The Top 5 Myths of Data Breaches White Paper 4 MYTH #1 Most threats and attacks are very sophisticated. With today s advanced persistent threats, zero-day exploits and sophisticated targeted attacks, it has become fashionable to throw up our hands, feeling helpless against these new classes of attacks. Some security professionals advocate that we will not be able to stop these kinds of attacks and we should plan for what to do when they do happen, rather than trying to stop them. While there is no doubt that trying to stop these kinds of attacks is very difficult, the fact is that according to the Verizon Data Breach Report of 2013 a staggering 99% of all breaches were not highly difficult. For all of our talk about threat sophistication, again, according to the Verizon Data Breach Report, 97% could have been stopped with simple or intermediate controls. The numbers are overwhelming. For every unbeknownst zero-day attack there are literally 80 or more attacks and breaches which utilized a known vulnerability and attack vector. The idea that we don t have the technology or technique to stop most attacks is a myth. Again, according to the most recent Verizon Breach Report 75% of victims were targets because they were available, not because of who they were or what they had to offer the attackers. Even with these new advanced, sophisticated attacks, it is usually a low-level vector that allows them to inject their sophisticated payloads. In most cases of Advanced Persistent Threats (APTs) we see some sort of spear phishing or other social networking which allows the attackers to infiltrate a network. Once they gain a toehold in an organization s network using these types of low-level techniques, they probe to see how and where they can gain access using some of the more advanced techniques. Again, they are looking for misconfigurations, unpatched systems, and so forth. Even vaunted custom malware such as Stuxnet were injected via a USB drive. Injecting malware via a USB drive is hardly sophisticated or new for that matter. It is believed that the US Department of Defense suffered a breach years ago via USB thumb drives injecting malware onto systems. The lesson of this myth is to not become an easy victim of opportunity. Most data breaches are successful not because of some new, highly sophisticated form of attack. Rather, most data breaches are successful because the attackers found an easy, simple point of entry that allowed them to inject their attack payloads and complete their breach. And, even if they succeed with step one, often basic access controls in the network can prevent further damage and raise visibility to the existence of the breach. Hiding behind the new sophisticated threats as an excuse not to remain vigilant and implement best practices is a losing proposition. While there are new forms of hacking and attacks, the sophistication of attacks is not the reason for a breach in most cases. Most breach attempts are actually pretty easily thwarted with simple and mid-level controls in place. MYTH #2 Network controls are useless since all attacks now are layer 7 attacks. Oh, how the web app security vendors would love us to believe this one. However, this is another myth about data breaches. While many attack attempts come in via port 80, this does not mean that existing technologies in network security could not be used to block them. A firewall, for example, can be used to stop attacks even with port 80 or other common ports left open. Blocking via IP, whitelisting IPs, and other firewall configuration management tactics can block many application layer 7 attacks despite popular myths to the contrary. Another method of stopping layer 7 attacks is to understand the path an attack would take in order to successfully reach critical assets. A tool such as FireMon Risk Analyzer can help you visualize what these potential paths of attack are and which controls you can put in place that would block these attacks.

5 The Top 5 Myths of Data Breaches White Paper 5 The important thing to remember about layer 7 attacks is that the traffic still traverses your network. Therefore, using network-based controls and defenses can still affect them. Yes, application specific defenses like NGFW, WAF and other layer 7 defenses are effective against these attacks (assuming they are properly configured), but if you don t have the budget to afford these luxuries there is no need to throw in the towel there is still much you can do. Tightening your network controls and doing all you can to avoid misconfigurations is a viable and surprisingly effective strategy. MYTH #3 My technology is slow, old, and obsolete (or all of the above). This may be the single biggest myth in IT, let alone security and risk. How many times have we heard My computer did not function properly? Other flavors of this myth include My technology was too slow, too old, and out of date. In security specifically, we live in a world of next gen. If there is a next gen tool in a particular category, it is obviously better and makes the previous generation obsolete. Or so the myth goes. We hear about an attack being successful and immediately think we need a new tool or a new technology to stop the new attack. We don t think too much about why our present technology did not prevent or stop this new attack. Was it really a case of the technology being incapable of thwarting the attack? More often than not an examination of the facts will show that the technology deployed could have successfully protected you but it was misconfigured. Misconfigurations are much more likely to be the reason for a data breach than obsolete technology. In a November, 2012 Gartner Research Note on enterprise firewalls, Gartner projected that through 2018, more that 95% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws. Misconfigurations could involve a firewall setting allowing traffic to or from a specific IP or via a port that should have been closed. Misconfigured network settings are a major source of data breaches. Who has permission to access what files and assets on the network? There could also be a misconfiguration on a server, such as file permissions are set incorrectly. Misconfiguration can also take the form of a setting on an endpoint that resulted in a patch or remediation not being applied. For instance, something as simple as not having automatic updates turned on, resulting in a new patch not being applied. Again, the Verizon Data Breach Report and other data breach studies show that sensible low- and mid-level controls and proper configuration of existing security technology are adequate to stop the overwhelming majority of attacks. Human error is responsible for many times more data breaches than older technology. That is not to say that technology doesn t become obsolete. Of course it does and that is sometimes the case. For instance, trying to maintain Windows XP systems after Microsoft has discontinued support could leave you vulnerable to attack. But that situation is far rarer than a simple misconfiguration. Before blaming the technology, take a good look in the mirror and make sure that your perimeter devices, network, servers and endpoints are all configured correctly.

6 The Top 5 Myths of Data Breaches White Paper 6 MYTH #4 It s impossible to prevent breaches; I should just concentrate on response. There is a very prevalent trend in the security industry that says data breaches and security incidents are unstoppable. Instead of putting so many resources into preventing a data breach, the tendency is to put resources into incident discovery and breach response. As the American General in the Battle of the Bulge replied when asked to surrender, Nuts! Giving up and not trying to stop data breaches is not and never will be a successful strategy. One hundred percent prevention of data breaches may not be possible, but it doesn t mean it is not a worthy goal or that you should not try to stop a data breach. The implications of redirecting significant resources away from prevention towards response is that more breaches will occur requiring even more time and effort on detection and response. Risk management dictates that we manage acceptable levels of risk. While this may mean dedicating more resources into prevention than the risk is worth, it does not mean full scale surrender. There is obviously a balance that needs to be struck. We do need to discover security breaches as fast as possible. We do need a well thought out plan to respond to data breaches. However, let s be very clear that the balance must tip in favor of stopping data breaches where possible and reasonable. If you take some basic steps to harden your systems you can greatly reduce your risk of a breach. According to the latest Verizon Data Breach Report, 75% of attacks are opportunistic meaning they were carried out because they were easy and available, not because of some strategic initiative. On top of this, 78% were started with relatively simple attacks rated as low difficulty. This means that taking reasonable measures to avoid becoming the victim of an opportunistic attack and thwarting low difficulty attacks could decrease your likelihood of being a data breach victim by over 75%. With those kinds of odds, it seems ludicrous to throw up your hands in defeat. MYTH #5 If I keep my systems patched, I can prevent all breaches. If only this were true, what a simpler world this would be. The I can patch everything, can t I? approach fails on several fronts. First of all, just staying on top of all of the patches that are released for the software you run in your organization can be a daunting task. In most organizations, you don t just apply a patch when it comes out. There is a quality assurance process where the patch is tested to make sure it does not break something else. By the time a new patch is tested and made ready to implement system wide, there is already a new patch that must be now tested and rolled out as well. While this may be a great form of job security, it is also like living on the hamster wheel. No matter how fast you run, it seems that the sheer amount of patches will keep you spinning your wheels. Of course the other side of this dilemma is that these patches are all driven by the finding of vulnerabilities. So while a good chunk of your resources is tasked with testing and rolling out patches, another part of the team is out scanning and testing for vulnerabilities. Scanning for vulnerabilities is not as easy as it used to be either. With so many mobile and remote devices, they are not always on the network when you run your vulnerability scan. Tracking, scanning and testing for vulnerabilities can be a bigger job than patching. Between the two you can rest assured that a substantial amount of your allocated budget and resources will be sunk. The news only gets worse too. Even if you dedicate the resources necessary and run a tight vulnerability management and patching operation, it offers you no protection against the latest zero-day attack that you may be subject to. So even doing all of the above does not guarantee you that you will be immune to a data breach.

7 The Top 5 Myths of Data Breaches White Paper 7 Finally, remember even without the zero-day attack, and you stay on top of your vulnerability management and patching, the weakest link in your defense still sits behind the keyboard. Being socially engineered to giving up your password or installing some malware on your device could make all of your hard work and effort for naught. So while patching and scanning is a form of job security for some and at the very least will keep you busy, it is not a cure for data breaches. Conclusion Stopping data breaches from occurring totally while a worthy goal is probably not possible. However, data breaches are by and large acts of opportunity. Understanding how they occur, and separating the truth from the myths can make your chances of being the next victim of a data breach much less likely. Insight into the state of your network, implementing even basic controls and management can decrease the likelihood that your network will be breached. Utilizing security management to manage firewall rules and network security policies along with a risk management solution are some of the best precautions you can take to thwart wouldbe intruders. Implementing a comprehensive security strategy complete with policy, process and technology in place allows you a better chance to not only stop breaches, but be aware of attempted breaches as well. Following these best practices, and doing everything you can to make sure your network and device settings are configured properly, will go a long way towards helping reduce your risk. After spending huge sums of money on defensive technologies, it makes economic and security sense to ensure they are effectively configured to reduce your risk. A regular security awareness training program for your employees can be a big help as well. One of the best things you can do is have a better attitude towards preventing a data breach. You can make a difference. Don t blame the technology you have. Don t think that the threat and the enemy are so advanced that it is useless to even try. Work smarter, if not harder. You can t stop data breaches entirely, but by cutting through some of the myths surrounding them you can harden your defenses and make your organization much less likely to be the next victim. For more information on FireMon s complete product portfolio, please visit the company s website at or FireMon at info@firemon.com. WHAT CAN WE DO ABOUT IT? Eliminate unnecessary data; keep tabs on what s left. Ensure essential controls are met; regularly check that they remain so. Collect, analyze and share incident data to create a rich data source that can drive security program effectiveness. Collect, analyze, and share tactical threat intelligence, especially Indicators of Compromise (IOCs), that can greatly aid defense and detection. Without deemphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology. Regularly measure things like number of compromised systems and mean time to detection in networks. Use them to drive security practices. Evaluate the threat landscape to prioritize a treatment strategy. Don t buy into a one-size fits all approach to security. If you re the target of espionage, don t underestimate the tenacity of your adversary. Nor should you underestimate the inteligence and tools at your disposal. Figure 2013 Verizon Data Breach Report rev080713