The Inevitability of Security Breaches

The first thing security firm Mandiant's 2014 Threat report (https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf) says is that "Security breaches are inevitable".  Just to underline that, according to the third quarter 2014 Data Breach QuickView report (https://www.riskbasedsecurity.com/reports/2014-Q3DataBreachQuickView.pdf) from data-breach analytics tool vendor Risk Based Security, Inc., 2014 has already set the record for the highest number of reported records exposed in a single year - after just none-months!     

To quantify the extent of reported data breaches, let me point out a couple of figures from Risk Based Security's report (as of September 2014):

•       1,922 Incidents were reported
•       904 million records were reported as exposed
•       1,428 of Reported Incidents were attributed to "Hacking"
•       84.8% of Records Exposed were attributed to "Hacking"
•       56 of Reported Incidents were attributed to "Fraud/Social Engineering"
•       11.5% of Records Exposed were attributed to "Fraud/Social Engineering" 
•       1,573 Incidents were attributed to "Outside" actors
•       99.90% of the Total Records Exposed were electronic records
•       >50% of Incidents exposed Passwords, Usernames, and/or Email addresses  
•       13.1% of Incidents exposed Social Security Numbers
•       8.2% of Incidents exposed Medical information
•       >6% of Incidents exposed Credit Card Numbers or Account Numbers

And although four incidents accounted for 70.9% of the records exposed, 75.5% of the incidents exposed between 1 and 1,000 records.  (Keep in mind that incidents where less than 1,000 records containing personally identifiable information (PII) were exposed are less likely to be reported than incidents with exposures above that threshold, so it seems likely that 60% would be the bottom of the reasonable range.)       

Those statements aren't intended to send anyone into a fear-based spending spree, but rather to set realistic expectations about the current threat environment.  The days when an organization could reasonable depend on firewalls and anti-virus software to defend their network security perimeter are long gone.  But it's only in the aftermath of the Target breach of 2013 that the reality of this situation has begun to be understood in board rooms and living rooms. 

So, at a time of increased threats to the IT security environment, why is it that a surprising number of organizations can neither see cyber-attacks in real-time or combat them?  And why is it that many organizations don't have a Security Operations Center (SOC)?

I believe it's because we are just beginning to act on that new understanding.  We are just beginning to add the second leg of the security stool: detection.  Detection tools have been improving over the last decade, but the many organizations have not perceived the threat as costly enough to justify the expense of those improving tools.  And without detection, the third-leg (response/recovery) is a solution without a problem to solve.

The first step in Prevention is what everyone, at this point, already has - an Intrusion Detection/Prevention System (IDS/IPS).  But with the advent of Advanced Persistent Threats (APTs) have come what are called tier-two Breach Detection Systems (BDS).  The IDS/IPS is the first tier.  And, just as has always been good practice, we are applying multiple layers of detection at various segments of the network.  The more valuable the data, the more sophisticated our tools need to be.  It's also important to be more vigilant when there is greater risk, for instance when critical or sensitive applications or infrastructure are being upgraded; and when the organization is acquiring/being acquired.  These are the moments when malicious actors will be looking most closely for potential vulnerabilities.
  
Ironically, the poster-child for big breaches (Target) does have a SOC (according to an article in Bloomberg BusinessWeek (http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data)).  And Target has a tier-two Breach Detection System (BDS) [a system from FireEye].  And the BDS alerted on the breach - on two separate occasions.  And the alert was communicated to the SOC by their off-shore security analysts.  But the SOC failed to take action. 

That's the People part of People, Processes and Technologies (PPT).  They all have to work in concert in order to keep an organization safe (or at least limit the damage) from malicious actors. 

How Did The Lowly Point-of-Sale System Get The CEO Fired?

There has been a lot attention paid to vulnerabilities in Point-of-Sale Systems since the breaches at Target became front-page news during the 2013 Christmas season.  And for good reason: some 40 million credit and debit card numbers were stolen in the breach. This lead Target to decide to spend approximately $100 million on Chip-and-Pin (EMV) credit card technology.  Other retailers in the US, including Sam's Club, have recently decided to adopt EMV chip technology.  Over in Europe 95% of credit card terminals are EMV chip enabled.  And that's great, because EMV technology is more secure that the mag-stripe cards that are dominant in the US.

The only problem is Target isn't even closing the barn door after the cows have gotten out.  According the highly-respected security blogger Brian Krebs (http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/ ), this fix doesn't address the problems that lead to the breach in the first place.  In Target's case what's needed from a security stand-point is end-to-end encryption (encryption-at-rest and encryption-in-transit).  And, "Yes," the "in transit" part includes inside the production network.

So that brings up the question of why Target is fixing a problem that doesn't address the security issue.  I don't have any special knowledge of the inner workings of the Target Board of Directors, but I'm going to guess that it was more important to the Board to fix the PR problem than the Security problem.  And end-to-end encryption is not tangible enough to Target's customers to address the PR side of the equation.  But I could be wrong.  Maybe they hired a consultant and the consultant made that recommendation.  Maybe both are true.

All of which brings us to another issue brought on by the breach. Target didn't have a Chief Information Security Officer (CISO) or Chief Security Officer (CSO) at the time of the breach.  On June 11, 2014 they hired Brad Maiorino from GM.  This was after Chairman of the Board, President and CEO Gregg Steinhafel announced he would be resigning.  And that was after Target announced that they had hired a new Chief Information Officer (Bob DeRodes).

Again, I have no special knowledge of the inner workings of Target or the psychology of its employees, but I'm going to guess that the last nine months at Target have been confusing and demoralizing for its employees - from top to bottom.  And all because of a breach of the Point-of-Sale systems.

There have been a lot of articles and blogs written about the technical aspects of the breaches, but I'm going to suggest that the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is to blame - or rather a lack of attention to the governance aspects of COSO.  And let's not forget Control Objectives for Information and Related Technology (COBIT).

In addition to articles about the technical aspects of the Target breach, there have also been a number of articles about the need for corporate boards to focus more of their attention on Cyber-Security.  And I think the Target breach is a good example of what can happen when there is insufficient attention paid to Information Security matters.

And I'm going to predict that we haven't heard the last of Information Security issues where Target is concerned.  Why?  Because that new CISO reports to that new CIO (as opposed to, say, the CFO).  And why would that be a problem?  The CIO has to make difficult technology budget decisions - and, after all, the company just spent $100 million to address those concerns.  Right?  If Information Security is to have the ear of the Board, then there must be a conversation at that table.  If that conversation happens in the CIO's office instead, how does the Board know they have heard all the relevant issues, all the risks, and all the opinions about the importance of those risks.  It's something the to think about.  And we've already seen what can happen if insufficient attention is paid to Information Security.  

Survey Finds Many Changes Are Undocumented

Netwrix, developers of Netwrix Auditor, recently released a survey of 577 IT professionals showing many organizations - especially smaller IT teams - lack either change management controls, documentation of completed changes or both.

Some of the specific findings included:
• Undocumented changes were happening at 57% of surveyed organizations
• IT Departments at 62% of organizations had no real ability to audit changes
• Changes led to service interruptions at 65% of entities; and
• At 17% of Large Enterprises, a change had been found to be the root cause of a security breach

Although the these results are shocking, I don't find them surprising. I have seen the factors that lead to these results both as a member of IT staff and as an external IT auditor. Although IT Change Management is a foundational part of every IT Department’s mission and most people would agree that weakness in Change Management leads directly (as this survey shows) to increased system downtime, security breaches, internal and external threats, and reduced operational efficiency.

Change Managment is a task that competes for resources (mainly time and budget) with a variety of other tasks and missions. If IT itself tends to be a "cost-center" and part of the plumbing (necessary, but not "sexy"); then Change Management is the epicenter of "plain-Jane" invisibility. Except that if you can't maintain appropriate controls (including disciplinary controls) over this area, then the entire IT function is compromised. This is the "blocking and tackling" of IT. It doesn't matter how fast or powerful that expensive new system is if it suffers too much downtime or is compromised internally or externally.

The majority of organizations surveyed reported they had Change Management process controls in place, although this declined with the size of the organization. The lack of Change Management process controls was even more pronounced when measured against IT Staff size. Although 38% of organizations stated that they had systems in place to audit changes, many of those respondents were relying on system log data as their change audit system.  While system logs contain important change-related data, its presence is no guarantee that it’s in a meaningful format.

This opens the door for the most eye-opening finding, that 57% of respondents were making continual periodic changes that were not documented. 7% of respondents reported making continual periodic undocumented changes daily, 21% reported making them weekly and 20% reported making them monthly. Many of the organizations surveyed had processes in place and/or documented known changes, but without having knowledge of all the changes to systems that occurred they had no way of measuring the effectiveness of their Change Management controls. This enabled IT staff to make changes to systems without over-sight, risk-assessment, or documentation of completed changes to refer to in the event of service interruptions or security events. And this was true (to a greater of lesser extent) regardless of entity- or IT Staff-size.

Given the potential risks to organizations, IT Change Management (and the ability to verify the effectiveness of the process) is key to limiting the risk of both security incidents and service interruptions. Organizations of all sizes would be well advised to consider whether the resources that are devoting to the Change Management process is really appropriate. If you can't successfully and repeatably make a change to a system or infrastructure, you're entire entity is at risk.