Large enterprises. Mid-sized businesses. Mom and pops.
Seems like they're all vulnerable to data security breaches today, right? It's no longer as easy as locking up the front door of the business.
Businesses don't have to be entirely vulnerable, though. In this CMSWire Discussion Point, we asked several security industry officials to weigh in on the sources of breaches at large enterprises.
Why do large enterprises have security breaches?
PJ Kirner, CTO and founder, Illumio
Kirner is a technologist and architect focused on complex distributed system solutions. He’s responsible for Illumio’s technology vision and platform architecture. Tweet to PJ Kirner.
Large enterprise data breaches fall into a clear pattern. At a high level, attacks that lead to data breaches follow a sequence -- the initial attack, followed by propagation to other vulnerable systems in the network, collection of sensitive data from compromised systems and finally exfiltration of information.
Over time, attacks have become more sophisticated and targeted with many variations in the modus operandi of the initial attack, from opportunistic attempts driven by security errors to malicious insiders, organized crime rings and hacktivists. But the processes by which the attack takes hold and the attacker makes away with sensitive data still remain largely the same.
Enterprises have focused a lot of attention on efforts to stave off this initial attack. They have spent billions of dollars bolstering perimeter defenses in the hope that the attack can be prevented from even arriving at the door step. However, recent events and high profile breaches have highlighted the problem of this one-dimensional approach to security which allows attackers to exploit the weak insides of data centers or clouds after they sneak past the perimeter.
Enterprise data centers and even public clouds suffer from a problem of gratuitous connectivity -- or the ability for servers to communicate simply because a network path exists. This is the single biggest vector by which attacks spread laterally from one compromised system to the other. The lack of visibility and control over the traffic between servers behind the perimeter means that attackers have very little resistance once they’re inside.
Security solutions must address the issue of unintended connectivity by decoupling the enforcement of security from the network. They must dynamically secure the communications between server with granular and automated controls to restrict interactions based on application needs. With the right application segmentation and isolation, enterprises will have a better chance at preventing data breaches even after the initial attack.
Rehan Jalil, CEO, Elastica
Jalil is an entrepreneur, investor and limited partner in technology venture funds. He is the president and CEO of Elastica, a cloud services security company. Tweet to Rehan Jalil.
A key challenge enterprises face in modern security breaches is that attacks have become an asymmetrical threat -- in favor of the attackers. Whether it is nation-states, criminal enterprises or rogue individuals, any one of them needs to find only one weakness in a complex web of technology and data. With immense resources at the attackers' disposal, organizations need to think very differently about security.
Furthermore, the economics of data have moved away from direct payment information (e.g. credit card numbers) and more into detailed records (like healthcare records). Recent reports even claim that cyber theft is more lucrative than the illegal drug trade! Enterprises need more sophisticated analysis to help detect and stop these data breaches. The typical perimeter and defense-in-depth approach may be necessary but no longer sufficient with the high mobility of both workers and data.
Enterprises need to think about leveraging the power of web scale systems coupled with modern techniques such as data science and machine learning to continuously monitor user behavior and identify suspicious patterns, without requiring constant human supervision. It is through data science that companies can help level the playing field without dramatically accelerating security spend.
Andrew Bagrin, CEO, My Digital Shield
Bagrin is the founder and CEO of My Digital Shield (MDS), a provider of Security-as-a-Service (SECaaS) for small businesses. Before founding MDS, he served as the director of service provider business development at Fortinet, a network security provider. Tweet to Andrew Bagrin.
Rule of thumb to always keep in mind: you are only as secure as your weakest link! The enterprises today have made significant investments financially and from a time perspective to ensure that they've covered every hole and locked every virtual door.
That being said, the most difficult component (which was to blame for many of last year’s breaches) is vendor/supplier management. If you choose to enter into a working business relationship with a company, you have to have an established level of trust built from day one. And it's critical to do your homework up front rather than simply asking Joe Supplier, “Do you have adequate security at your company?” as the answer will always be “of course!” because they want to do business with the big enterprises.
The truth of the matter is that smaller businesses do very little to secure their networks, and by trusting them with access to your network -- past your defenses -- opens a window of opportunity and an entry point for cyber criminals.
Small businesses often don’t understand the magnitude of cyber security because they have adopted the mindset that nothing that serious will ever happen to them. Large enterprises should start demanding that their suppliers have adequate cyber defenses and early detection procedures in place if they want to engage in future business partnerships.
Neal Bradbury, Co-Founder and VP, Intronis
Bradbury is responsible for generating greater business value for the company’s MSP partner community and alliance partners. Before co-founding Intronis, he worked at Hasbro and at General Dynamics Electric Boat, where he was a systems engineer working on combat systems of the Virginia-class submarine. Tweet to Neal Bradbury.
True, larger enterprise data breaches like the ones at Target and Sony make headlines. But when you get down to the root cause of major breaches like these ones, it’s not much different from what causes data breaches at small and medium businesses: poor security practices. Lax password policies and poorly controlled network access are two of the biggest offenders.
For example, both the Target breach and the Sony hack reportedly started with just one stolen user name and password, and once the hackers got in, they had broad access to the network.
At smaller companies, it’s common to find a number of desks with a telltale list of passwords stuck to the bottom of a computer screen. At larger companies, this kind of sloppy security might look more like unprotected text files full of passwords on a shared network server. In fact, some of the documents released in the Sony leak revealed that hackers found a folder labeled “Password” containing thousands of passwords for everything from social media accounts to financial accounts. A mistake like this makes it incredibly easy for hackers to get even more access once they find the right file.
Having a firewall in place doesn’t make it alright to ignore security best practices on internal systems. If firewall software isn’t updated regularly, it creates a weakness hackers can exploit, and that’s when improperly protected files or insufficient network segmentation can come back to bite you. The same thing goes for antivirus and anti-malware software. They don’t keep your data safe if they’re out of date.
A few other common mistakes that can lead to data breaches at companies of any size include failing to lock employees out of the system after they leave the company, and not having a strong policy in place to deal with shadow IT.
Discussion Point is a regular CMSWire feature. Title image by Asa Smith Aarons/all rights reserved.