Data-breach-promo

NED Cyber Security Report Part 3: Once More Unto The Breach

This exclusive series examines what you should know about cyber security in 2016, from the threats to defenses. This chapter focuses on breaches.

In part one of this report, Scott Harrell, Vice President of Product Management for Ciscos Security Business Group, warned that when it comes to network breaches, You need to assume that even if you have the best defenses in the world, sometimes people are going to succeed.

When the security expert says no defense is impenetrable, it shouldnt deter you from deploying the best defense you can. It should, however, make you reevaluate your network architecture.

Securing digital resources isnt all that different from securing your companys physical space. Your facility is probably broken up into departments, such as accounts payable or shipping and receiving. The former may be separated further into cubicles, while the latter is an austere box near the loading dock. Elsewhere are executives offices and custodial closets.

Everything is broken up, with walls and doors and locks keeping it all that way. Its probably all not one big room.

A random delivery driver may be able to enter through the loading dock and enter the building, but can he make it to the presidents office and start posting on his Facebook page? Probably not, because that would be crazy.

Look at your network the same way.

You need to control lateral movement, says Harrell, stressing that software-defined segmentation is the best way to isolate and protect your most critical assets, such as industrial robots or production line controls.

Segmentation may not keep every jerk out of your building, but it will sequester him in the lobby, so he cant break into research and development to take a look at your latest innovation.

If you dont have the proper policies in place to segment your network, a minor breach can turn into a full-scale invasion.

If Im an adversary and I get a hold of one node, I can generally move around your network at free will, Harrell says.

Thats exactly what happened during the infamous Target breach in 2013.

That summer the Minneapolis-based retailer began installation of a $1.6 million malware detection system from FireEye. Fast forward to the week before Christmas, and the giant retailer announced it had become one of the biggest marks in cybercrime history.

An estimated 40 million credit card numbers and 70 million other pieces of personal data, such as addresses and phone numbers, were stolen during the post-Thanksgiving shopping blitz. Starting on Nov. 30, any time someone swiped their card at a point of sale terminal, a malware program ushered their info to a pirated Target server. These acted as holding cells for the data until the thieves could wire the data to Russia.

Before the hackers received the data, the third-party monitoring team in Bangalore detected the intrusion and notified Targets security team. Then the system located which servers were hijacked, and FireEye sent more alerts with escalating urgency, Bloomberg Businessweek reports.

According to auditors, the automated function that would have deleted the malware was turned off. That wouldnt have been so bad if the security team heeded the alerts. Instead, on Dec. 2, the credit card info was delivered to Russia. The F.B.I. informed Target of the breach on Dec. 15, and the public found out four days later.

It was later discovered the malware entered through a compromised thermostat from third-party HVAC vendor that monitors the big box stores environments.

However the malware entered the system, it shouldnt have had access to the entire castle, explains Tyler Cohen Wood, cyber security adviser for Inspired eLearning, a security awareness and compliance training center.

You need to have a strong monitoring policy, making sure you dont have unnecessary devices connected to your crown jewels, says the former senior intelligence officer for the Defense Intelligence Agency. Theres no reason HVAC devices should have been a hopping point into point of sales machines.

Target paid a huge price for its failure. The Wall Street Journal reported the retailer doled out $67 million to Visa card issuers and another $10 million to the individual victims.

Target is one of countless organizations that have been breached in the last two years, Wood notes. Among them are JC Penney, Neiman Marcus and Home Depot, the latter of which broke Targets record of credit cards stolen by 16 million, although it took five months.

The more connected we are, the more at risk we become.

Before you think this could never happen to your company, Wood points out "a lot of companies never even know theyve been breached.

Verizon's 2015 Data Breach Investigations Report calculates that exposing10 million records in a breach could cost a company $2.1 million to $5.2 million.

Smart devices, like the Nest Learning Thermostat, make our lives easier and more efficient, but also create another entry point for hackers.

Childrens electronics manufacturer VTech admits that last Novembers breach was revealed to them by Motherboard. The man who claims responsibility alleges it was an act of hacktivism, as VTechs websites, and thus millions of parents and childrens personal information and photos, were vulnerable to a well-known, and therefore preventable, hacker trick known as a SQL injection. He was merely trying to shed light on those weaknesses.

If your company gets hacked, your attackers probably wont have such altruistic motives.

Verizon's 2015 Data Breach Investigations Report calculates that exposing10 million records in a breach could cost a company $2.1 million to $5.2 million.

Unless you work for a giant company that can handle losses in the hundreds of millions, along with a pummeled reputation, a breach could end your company, putting you, your co-workers and respective families at risk.

The cybercrimes spoken about so far have been financial in nature. The criminals themselves are the bank robbers and pick-pockets of the virtual world.
If those were the only threats out there, President Obamas administration would not have pledged $19 billion in cybersecurity for the fiscal year 2017 budget, a spending increase of 35% from 2016. This includes cybersecurity training for 1.4 million small businesses.

There are worse crimes out there than identity theft. The Target breach showed how the Internet of Things could be turned against a company to affect tens of millions of people. Thats one retailer over one weekend.

The IoT links everything from home automation to power plant operation, creating an attack surface that surrounds us in nearly every part of our lives. What type of damage can a truly malicious cyber terrorist, or enemy nation-state, cause?

In part 4, well explore the multitude of ways the Internet of Things will totally lead to Armageddon and why you should start packing your bug-out bag right now. For people not into overreacting, well also cover how to responsibly improve your cyber security measures so we can leverage the IoT to improve the planet.

€‹


Keep reading our special series on cyber security tomorrow for the biggest threats to America's industrial and national security interests.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish