Earlier this week, Domino’s Pizza became the latest victim of a breach and ransom demand. Recent DDoS attacks on Evernote and Feedly DDoS, along with the efforts of Cryptolocker and other tricks to extort hard cash from unsuspecting users, are rapidly gaining momentum and are becoming a serious threat to individuals and organisations of all sizes. These brazen attempts to make a quick profit will only be fuelled for as long as they remain successful.
In these latest incidents we are seeing a continuation of a theme – if your company holds passwords and account information for customers, and you have an online method for those details to be used or accessed, there is a real threat that you could end up in the news for all the wrong reasons if the criminal gangs behind these attacks turn their attention to you.
So what is the new normal for companies wanting to prepare for a cyber breach? What steps should organisations be seeking to put into place in order to have the best possible response to a breach incident?
STEP 1 – Recognise your risk (update the “risk register’): Your risk register should – by default – hold the breach of customer account information as a defined risk and its potential to be obtained by the very real threat actors out there. It is very clear that this information is being targeted by hackers – it is important for organisations to carefully assess exactly what customer information they are culpable for in order to understand the level of risk they are exposed to.
STEP 2 – Secure the data (implement and verify the right controls): Your standard controls should include strong hashing with a protected salt. Complex passwords should be enforced, and the standard security hardening, patching and testing needs to be conducted. Passwords do not normally need to be stored in a reversible manner (such as encrypted, and clearly not in plain text or simply obfuscated).
You will need to accept a level of risk in your internet and email connected environments and remove your sensitive data into a hardened core. This core may not even be connected to the open internet at all. Think of this network model as looking like an avocado. You cannot rely on the traditional model of a hardened outer network shell, much like a coconut. Recent hacking incidents, spear phishing attacks and drive by downloads delivering custom malware, have all shown that this model is outdated and vulnerable.
STEP 3 – Monitor your environment (define standard monitoring, know what is happening and actively hunt on your network): Your “business as usual’ practise should ensure that you have active monitoring in place, with your data stored and protected well back from your public servers.
Any active changes, non-standard behaviour and unauthorised activity should be monitored across the network and alerted. An incident response plan should have been tested and rehearsed to ensure a breach can be detected BEFORE data extraction occurs. Make sure the path to your data is lined with multiple trip wires (monitored events) to ensure the hackers’ chain of actions prior to data extraction can be seen (reconnaissance, weakness exploits, delivery, extraction, etc). This will give you multiple opportunities to intercept and stop.
STEP 4 – Simulate and test (conduct real world penetration testing): So much penetration testing these days focuses on the type of attacks run by unskilled hobbyist hackers (that is to say that the attacks are noisy, tool driven and automated), rather than real world criminals who are targeted, custom, slow and quiet. Use valid Threat Intelligence to know what the bad guys will attempt and simulate what you really think may happen – not what you tested last year or even what your testing company does as standard.
STEP 5 – Remain agile (continually re-visit the risk and verify the right controls and response capabilities are in place): Don’t stand still and don’t sit down. The hackers won’t be. As defenders we need to remain vigilant and adaptable. Govern, evaluate, learn lessons and improve.
The only way to protect your organisation from a breach is to expect it to happen and prepare for it. Ask yourself, if a certain breach happened to you, would you be able to detect and stop it in time?
Finally, never pay hackers a ransom. You will encourage the very action you want to stop. Hunker down, weather the storm and learn from it. And be better prepared for next time.