Cyber hackers cracked the US federal government earlier this month, exposing personnel information for about 4 million current and former federal employees. Cyber attackers targeted the Office of Personnel Management (OPM) and may have originated in China.
So now the question is — is your enterprise environment vulnerable, too? We put that question to some security experts in the first of a two-part series on security in the enterprise.
What can enterprises learn from the US federal government data breach?
PJ Kirner, CTO and Co-Founder, Illumio
As chief technology officer and founder, Kirner is responsible for Illumio’s technology vision and platform architecture. He has 20 years of experience in engineering, with a focus on addressing the complexities of data centers. Prior to Illumio, he was CTO at Cymtec. He also held several roles at Juniper Networks, including distinguished engineer focused on advancing Juniper’s network security and layer 4-7 services plane. Kirner graduated with honors from Cornell University. Tweet to PJ Kirner.
These types of breaches are symptomatic of a larger problem: over-reliance on perimeter-centric security strategies and devices, such as firewalls, IDS (Intrusion Detection System), IPS (Intrusion Prevention System), etc. This problem isn’t confined to the OPM or government in general. It is one that is firmly entrenched in the private sector as well.
Traditional, perimeter-centric security strategies are not able to keep up with today’s dynamic, agile computing environments. They are like the hard shell of a candy -- once cracked, malware and attackers gain free reign of the soft and chewy middle of clouds and data centers. We need a shift in the industry, one that focuses security strategies on reducing the attack surface so any threat can be successfully managed.
There is now a full complement of new technologies that give security teams the ability to gain live visibility and apply continuous enforcement inside their data centers. The opportunity is present for organizations to take steps to contain the spread of threats -- before they can do any material damage to an organization, their employees and their customers.
The only way we are going to stop these threats is to fully understand the entire ecosystem, security technologies, processes, personnel, etc. that enables them to happen. We should be making sure that everyone else with the same architectures and systems in place as those that failed at the OPM are aware of the potential for disaster and how to minimize the risk.
Ron Heinz, Founder and Managing Director, Signal Peak Ventures
Heinz guides operations for his company’s venture capital and growth equity firm with more than $500 million of assets under management. As a former operating executive, he spends significant time with portfolio companies helping incorporate their technology into viable business structures. Prior to Signal Peak, Ron was a managing director at Canopy Ventures and previously served as the CEO of Phobos Corporation (acquired by SonicWALL) and Helius Corporation (acquired by Hughes Network Systems), as well as a senior vice president at Novell, Inc. where he spent 12 years. Tweet to Ron Heinz.
With the growing sophistication of hackers, whether they are nefarious actors or state sponsored cyber terrorists, the question is no longer will you get hacked but how well prepared are you for the attack. Recent high-profile breaches, in the government sector or commercial world, are a stark reminder that the skill set and intensity of this new breed of cyber-criminals has reached a new paragon.
While state-sponsored hacking may have more recently targeted civilian and defense entities, the commercial enterprise is equally vulnerable to heightened levels of cybercrime. Attacks on enterprise organizations are often geared towards intellectual property theft, corporate retaliation or financial fraud. With a growing interest in enterprise assets, cyber-assaults on corporate entities will continue to accelerate at alarming rates -- thus penetrations will be inevitable.
For corporations, battling cyber-threats will continue to escalate to high-priority status for large enterprises and their IT staffs. The good news being there are a plethora of traditional perimeter-based technologies, as well as a number of emerging solutions coming to market, to assist security professionals in the ongoing battle.
We see innovations in a number of areas – stronger inside-threat detection, cloud-encryption technologies and mobile-device encryption -- as being areas of advanced interest to the enterprise.
Casey Ellis, CEO and Co-Founder, Bugcrowd
Ellis has spent 12 years in information security, servicing clients ranging from startups to multinational corporations as a security and risk consultant and solutions architect. He's a career infosec guy turned career entrepreneur. Ellis is "the guy who had the crazy idea" which became Bugcrowd. He is happy as long as he's got a problem to solve, an opportunity to develop and an awesome group of people to bring along for the ride. Tweet to Casey Ellis.
The simple answer is yes, hackers can and will hack the enterprise like they did with the government and the Office of Personnel Management (OPM) breach. It comes down to the complexity of the environment that exists around each of the organizations. There is no real difference between these environments, and the more moving parts at play in the organization, the more the hacker has to exploit.
To use a suburban analogy, imagine a big house. For every extra window on this large house, a burglar sees another window of opportunity. The government and large enterprises are some of the biggest houses in the country, with many windows available for exploitation.
Moreover, what the public doesn’t always realize is that hackers are economically rational -- they’re running a business. For them, it’s not a matter of getting into the bank vault where the best goods are hidden. It’s targeting the doors that will give them the best entryway into the organization. It’s a question of, what will give them the best rate of return?
For enterprises to stay safe, it’s a matter of triaging where the encounter with an attacker will most likely come from. Organizations must ensure their perimeters are secure in a way that isn’t just focused on core assets. Take JPMorgan and Target -- the attackers went through systems that the customers weren’t regularly visiting. They sought the back windows, where not many people look out of, but anyone can look into.
Rehan Jalil, President & CEO, Elastica
Previously, Jalil was president of WiChorus (Tellabs subsidiary) and senior vice president of Tellabs. At WiChorus, he led the company from its inception to an eventual $200 million merger with Tellabs. He was also previously the chief architect at Aperto Networks, where he led development of broadband wireless silicon and carrier-grade systems. At Sun Microsystems, he helped develop one of the industry's earliest advanced multi-core multithreaded processors for throughput computing and graphics applications. Prior to that, he managed large-scale projects related to system-level design and implementation at Siemens. Tweet to Rehan Jalil.
Enterprises are more vulnerable than the federal government, given the openness and high mobility afforded to corporate employees and vendors. Furthermore, enterprises are more likely to embrace cloud services due to the efficiency and cost savings -- opening potential for breach at both the enterprise premise and a breach at the cloud service provider.