The occurrence of data breaches has been on a continual rise over the past 18-24 months. Some of this is arguably due to increased reporting, but what about the rest? How do some of the largest companies in the world manage to get breached by so-called “advanced” threats. There are many detailed reasons, of course. But I believe the majority of the issues lie at the intersection of complexity and common sense.
As the internet has grown, organizations have been increasingly quick to jump into new technology opportunities without fully understanding their impacts. Mobile applications, cloud services, BYOD, API accessibility, B2B integrations, and Internet of Things are just a few of the simple examples of new technologies that have – not just permeated the technology landscape – but have also become part of how we live with technology. These advancements also show clear examples of how complexity has eroded our security boundaries.
As an illustration, just think about your average small restaurant chain. They have physical storefronts where they process credit cards and usually offer free WiFi, allowing anyone to connect. They probably take online orders, process credit cards online, and have API access to read the orders as they come in. They probably have a security camera system (wireless?) of some sort. And this is all just from a small restaurant chain. (this is modeled off an actual pizza chain, by the way).
Perhaps this is more social commentary than anything, but there is a conspicuous lack of “think before you act” going on in the technology world. Just because we can, doesn’t mean we should right now… For example: When you install that wireless security camera system, who is monitoring it? How do you know? Would you know? A simple Shodan search shows: No, organizations simply are not aware of their actions.
But what about larger organizations? Surely they must be better than that, right? Not hardly. Large organizations have the exact same issues, but at a larger scale. From a retailer not properly segmenting networks before allowing HVAC access; to a major production studio that wasn’t able to detect long-term access and exfiltration of their own data, it’s happening everywhere.
The real problem is that it’s getting worse, not better…
What is the answer then? How do we fix these issues? Unfortunately, it’s very situational (and usually not easy).
- Understand there is a problem. Organizations need to understand that you have blind spots and that they ARE a target. Everyone has data, and everyone is a target.
- Figure out what is important to you. What data do you really want to protect? Is it healthcare data, credit cards, member lists, intellectual property? Determine what you need to protect.
- Stop making mistakes. Sounds easy, right? The point is this: you now understand you have a problem…don’t make it worse. For example, if you’re allowing unrestricted contractor access to your network, stop allowing further access until you get your hands around the problem. Don’t keep doing things because “that’s how we’ve always done it.”
- Find your real boundary. Are employees using Gmail and Facebook in the office? What about Drop Box? Who handles your SIP calls, and are you sure about that? Who provides your DNS, NTP, and so on. Understand that your network is full of holes, despite your best efforts. Start physically drawing those boundaries! (FYI: Pencil and paper is still available at your local store)
- Threat Model like crazy. Where are your biggest exposure points or threat vectors? Do you have webservers, VPN, email, desktop computers? What is the intended purpose of all of these vectors? How can they be exploited? What are you doing to protect against those threats? Write all that down; add it to your network diagrams; whatever is easiest to understand.
- Apply GOOD engineering to solve the problems. You don’t always need to spend money to win this game. Start with network segmentation, AD group policy and machine lock-downs, patching, open source solutions (e.g. WAFs, log monitoring, etc). There are a lot of great commercial solutions out there, but they will ALL FAIL if you don’t have a solid foundation to sit them on. If your admins and engineers don’t get it, you need to consider what that means for future hiring.
- Lather, Rinse, Repeat. You need to apply all of this, all the time. There’s also a longer tail in Security Operations, which I’m not touching on here…
The moral of this story? Stop adding things to your network and computer infrastructure before understanding the security impact. So much of the security problem is wrapped up in laziness and apathy. It’s no longer acceptable to just “throw it on the network” without understanding what that really means. Use common sense when adding complexity.