The old saying “one man’s misfortune is another man’s gain” is eminently applicable in the information security industry. When an organization becomes the victim of a security breach, its misfortune should be viewed as an opportunity for the rest of us to learn how to improve the security of our own systems.
In the last few months, news outlets have covered a number of security breaches of some very high profile organizations such as Target, Neiman Marcus>, KT Corp, and Forbes (to name but a few).
Instead of reading these reports and breathing a sigh of relief that our organization was not targeted, we should look to see what we can learn from those incidents to better prepare our defenses.
A system is made up of many components. When it comes to information security systems, technology is just one of those components. We need to look beyond the technical aspects of these attacks, and analyze the business, people and process elements that also contributed to the breach.
Here are some of the things that struck me as a good idea while reading the various media coverage of the aforementioned attacks:
1. Conduct a risk assessment for all your systems to determine how the evolving threat landscape could impact them. A lot of the attacks targeted personal information such as user names, email addresses and passwords. If any of your systems store such data, you should reassess the risk profile for those systems and implement appropriate controls.
2. A lot of the recent attacks targeted users’ email addresses, passwords and credit card details. So, have you reviewed lately how well you are securing that information? Is your password database secured? Are the permissions protecting the password file/database sufficient?
3. A number of recent attacks were the result of exploitation of application vulnerabilities (e.g. SQL Injection). How confident are you that all your systems are not vulnerable to web application attacks? Now is the time for you and your development team to become familiar with the OWASP top 10 web application vulnerabilities and to develop a program to eradicate them from your applications. You should do this as a result of your risk assessment and target the more critical systems first.
4. Some of the organizations that were breached did not know they had been successfully targeted until the attackers posted the stolen information onto the web. How confident are you that you could detect an attack against your organization? How well do you monitor and review your logs for suspicious behavior? Are you sure that your log files and audit trails are capturing all the information you need? Now would be a good time to review your log management strategy so that you could answer those questions positively.
5. Has your organization appointed someone responsible for information security and, if they have, does that person have the appropriate authority and resources to fill that role effectively?
6. Lack of communication, transparency and openness about the attacks has been the heaviest criticism leveled against some of the victims. Is your organization prepared for a breach? Would you be able to quickly identify the compromised assets and the impact the attack could have on your organization and your customers? Do you have people trained in how to communicate with the press, staff and customers in the event of a breach?
7. A number of those breached organizations are also suppliers to other companies. We should consider these breaches as reminders to ensure that our suppliers and the products they provide to us are properly secured. When dealing with vendors, perform a security check on them. To get assurance from your suppliers regarding the security of their systems, products and services, include the following items in your procurement checklist:
- Who in the vendor organization is responsible for information security?
- What security qualifications does the vendor’s staff have?
- What steps do they take to ensure their products do not include vulnerabilities in them, specifically the OWASP top 10?
- What security standard, such as ISO 27001:2005, is the vendor certified against?
- You could look into including the entire or parts of the OWASP Secure Software Contract Annex and this earlier Selecting a Secure Development Partner blog post of mine.
Watching someone else suffer is never easy, but if that suffering can help others then we should take advantage of the opportunity and take the necessary steps to ensure that we will not be the next ones to suffer.
Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland’s first CERT. He is a Special Advisor to the Europol Cybercrime Centre, an adjunct lecturer on Information Security in University College Dublin, and he sits on the Technical Advisory Board for several information security companies. He has addressed a number of major conferences, wrote ISO 27001 in a Windows Environment and co-author of The Cloud Security Rules. He regularly contributes to a number of industry recognized publications and serves as the European Editor for the SANS Institute’s weekly SANS NewsBites.