Debunking the five myths of data breaches
We live in the age of the data breach. It seems that every day we hear about yet another breach of a computer network resulting in the theft of confidential or sensitive information.
Both within the security industry and in society in general we are in a constant search for a solution to this problem. However, many in the security industry have become so disillusioned by failure that they think that a breach is inevitable and the primary focus should be on detection and response as opposed to prevention. In truth, there is no single, simple answer and giving up is not a viable alternative. This article will seek to expose five of the biggest myths that exist about data breaches and explain how and why they occur.
Myth #1: Most threats and attacks are very sophisticated
With today’s advanced persistent threats, zero-day exploits and sophisticated targeted attacks, it has become fashionable to throw up our hands, feeling helpless against these new classes of attacks. Some security professionals advocate that we will not be able to stop these kinds of attacks and we should plan for what to do when they do happen, rather than trying to stop them.
While there is no doubt that trying to stop these kinds of attacks is very difficult, the fact is that according to the Verizon Data Breach Report of 2013, a staggering 99% of all breaches were not complex. In fact the majority could have been stopped with simple or intermediate controls. For every zero-day attack that hits the headlines there are 80 or more attacks and breaches caused by known vulnerabilities or threats. What’s more the vast majority of victims are the result of an opportunist rather than targeted attack.
Myth # 2: Network controls are useless since all attacks now are layer 7 application level attacks
Oh, how the web app security vendors would love us to believe this one. But alas, this is another myth around data breaches. While many attack attempts come in via port 80, the port used by web traffic, it does not mean that existing technologies in network security could not be used to block them. A firewall, for example, can be used to stop web-based attacks. Blocking via IP address, white-listing IPs, and other firewall configuration management techniques can block many application layer 7 attacks despite popular myths to the contrary. Another method of stopping layer 7 attacks is to understand the path an attack would take in order to successfully reach critical assets. A tool such as FireMon’s Risk Analyzer can help you visualise what these potential paths of attack are and what controls you can put in place that would block these attacks.
Myth # 3: My technology is slow, old, and obsolete (or all of the above)
This may be the single biggest myth in IT, let alone security and risk. How many times have we heard “My computer did not function properly”? Other flavours of this myth include “My technology was too slow, too old, and out of date.”
More often than not the technology deployed could have successfully protected you but it was misconfigured. Misconfigurations could entail a firewall setting allowing traffic to or from a specific IP or via a port that should have been closed. Who has permission to access what files and assets on the network? There could also be a misconfiguration on a server, such as file permissions set incorrectly. Misconfiguration can also take the form of a setting on an endpoint that resulted in a patch or remediation not being applied. For instance, something as simple as not having automatic updates turned on could result in a new patch not being applied. Misconfigurations are much more likely to be the reason for a data breach than obsolete technology.
Myth # 4: It’s impossible to prevent breaches; I should just concentrate on response
There is a very prevalent trend in the security industry that says data breaches and security incidents are unstoppable. Instead of putting so many resources into preventing a data breach, the tendency is to put resources into incident discovery and breach response. The implications of redirecting significant resources away from prevention towards response is that more breaches will occur requiring even more time and effort on detection and response. Risk management dictates that we manage acceptable levels of risk. While this should not mean dedicating more resources into prevention than the risk is worth, it does not mean full scale surrender.
Myth #5: If I keep my systems patched, I can prevent all breaches
If only this were true, what a simpler world this would be. Just staying on top of all of the patches that are released for the software you run in your organisation can be a daunting task. In most organisations, you don’t just apply a patch when it comes out. There is a quality assurance process where the patch is tested to make sure it does not break something else. By the time a new patch is tested and made ready to implement system wide, there is already a new patch that must be tested and rolled out as well.
Finally, remember, the weakest link in your defence still sits behind the keyboard. Being socially engineered to giving up your password or installing some malware on your device could make all of your hard work and effort for naught. So while patching and scanning is a form of job security for some, it is really not a cure for data breaches.
Stopping data breaches from occurring totally—while a worthy goal--is probably not possible. Understanding how they occur, and separating the truth from the myths can make your chances of being the next victim of a data breach much less likely. Insight into the state of your network, implementing even basic controls and management can decrease the likelihood that your network will be breached. Utilising security management to manage firewall rules and network security policies along with a risk management solution are some of the best precautions you can take. Doing everything you can to make sure your network and device settings are configured properly will go a long way towards helping reduce your risk. A regular security awareness training program for your employees can be a big help as well. You can’t stop data breaches entirely, but by cutting through some of the myths surrounding them you can harden your defences and make your organisation much less likely to be the next victim.
by Jody Brazil, President and CTO of FireMon