A Three-Step Approach to Threats: What All Organizations Should Know (but Equifax Doesn’t)
September 18, 2018
Within the context of historical cyber breaches, this can be classified as a massive attack: Equifax, one of the “big three” credit-rating agencies, announced earlier this month that hackers gained access to the Social Security numbers, credit card data, driver’s licenses, home addresses and other personally identifiable information (PII) of up to 143 million Americans. Some two-dozen class-action lawsuits(and counting?) followed, along with stinging criticism from consumer groups and congressional leaders.
A vulnerability in the open-source framework, Apache Struts, is believed to be one of the causes of the hack. When using open-source products, you need to look beyond the immediate free price to the long-term implications: how will you maintain their function and security. Part of this is a commitment to actively participate in the community to contribute to the software’s continued development. This compromise calls attention to a top source of risk: Web app attacks account for nearly three of ten breaches overall – far outpacing cyber espionage, privilege misuse and all other threat-drivers, according to the latest Verizon Data Breach Investigations Report (DBIR).
But beyond the vulnerability of web apps, the situation speaks to the need for a three-step approach in dealing with compromises in general: We start with the now-accepted reality that all of us will get breached. Your customers and the public at large will not condemn you for this. Yet, in the interest of preserving (and even building upon) your brand reputation and loyalty, it’s critical to effectively manage threats – from both a technical and strategic perspective – before, during and after they occur. That’s where our three-step approach takes hold …
Minimize risk. Well before an incident, you should assess the volume of entry points – on various systems, devices, apps, etc. – that represent the potential for exposure. Clearly, the fewer, the better. If your enterprise was a home, for instance, you’d be best protected in a house with just one door, because an intruder would only have one way to get in. But that would be absurd, obviously. Your home is going to have a front door and probably a back door, as well as windows. You can, however, limit these entry points and secure them.
Similarly, in today’s age of Bring Your Own Device (BYOD) and employee-driven device/app adoption, it’s impossible to limit enterprise entry points to “one door.” But you can inventory them – to document which ones exist and where they are – and then monitor them for any suspicious activity. Then, through the principle of least privilege, you limit the exposure of entry points within systems, devices and apps by granting user access based strictly upon what people need to do their jobs. This, along with encryption, systems validation and traditional cyber defense tools and measures, will greatly help you “fortify the house.” But, as indicated, it will not ensure 100 percent protection, which brings us to our second step …
Manage impact as it happens. Because everyone gets compromised from time to time, you must have a plan in place to reduce the impact of threats as they happen. The aforementioned inventorying of entry points and monitoring them helps here. So does network segmentation. Through network segmentation, you separate physical endpoints according to the networks and data they access. This way, if they’re compromised, only the data within their segmented “section” is affected – you’ve “walled off” the data from infecting everything else within your enterprise IT environment. To use our “house” analogy, it’s like sealing off a room which a burglar breaks into so he can’t go anywhere else. Sure, he can swipe whatever he wants that’s in the room. But that’s it.
Respond to incidents – promptly, publicly and honestly. After an attack, you need to ‘fess up to your customers, stakeholders and possibly the general public/news media. Again, this is going to happen to everyone eventually, so don’t feel like you’re undergoing the equivalent of a viral social media “shaming” here. You’ll only face shame, in fact, if your efforts are perceived as “too little, too late” or otherwise duplicitous.
Equifax, for example, deservedly took heat for not revealing the hack until six weeks after first detecting it. Then, it encouraged consumers to check its site, EquifaxSecurity2017.com, to find out whether they were affected. But Equifax further self-sabotaged its brand reputation here because the site’s terms and conditions ban users who opt in from participating in class-action lawsuits. Once word about this “fine print” detail got out, the Equifax backlash grew only louder. (The company backed off of its position later, but, by then, the damage was done.)
Whether your organization suffers from a massive hack or just a “tiny mess” to clean up, you need to proactively prepare. By developing strategies for the “before,” “during” and “after” stages of an attack, you’ve covered all of the required bases. Ultimately, breach management is as much about business as it is about tech processes. With our three-step approach, you’ll minimize fallout and preserve brand reputation by demonstrating that you’ve invested considerable thought, time and effort into a comprehensive cyber defense plan. And that’s when you’ll earn the greatest asset you can gain from your customers and stakeholders – their trust.