The Inevitability of Cyber-Attack

The first thing security firm Mandiant says in its 2014 Threat Report is security breaches are inevitable. To emphasize the point, according to the recent Data Breach QuickView report from Risk Based Security, Inc., 2014 has already set the record for the most reported records exposed in a single year—after just nine months!

To quantify the extent of the breach issue, let me point out a couple of figures from Risk Based Security’s report (as of September 2014):

  • 1,922 incidents were reported
  • 904 million records were reported as exposed
  • 1,428 of the incidents were attributed to hacking (84.8 percent of records exposed)
  • 56 of the incidents were attributed to fraud/social engineering (11.5 percent of records exposed)
  • 1,573 incidents were attributed to outside actors
  • 9 percent of the total exposed records were electronic records
  • More than 50 percent of incidents exposed passwords, usernames and/or email addresses (all increases)
  • 1 percent of incidents exposed Social Security numbers
  • 2 percent of incidents exposed medical information
  • More than 6 percent of incidents exposed credit card numbers or account numbers

And although four incidents accounted for 70.9 percent of the records exposed, 75.5 percent of the incidents exposed between 1 and 1,000 records. (Keep in mind that incidents in which less than 1,000 records containing personally identifiable information were exposed are less likely to be reported, so it seems likely that 60 percent would be the bottom of the reasonable range.)

Those statements aren’t intended to send anyone into a fear-based spending spree; rather, they should help you set realistic expectations about the current threat environment. The days when an organization could reasonably depend on firewalls and anti-virus software to defend their network security perimeter are long gone. But it’s only in the aftermath of the Target breach of 2013 that the reality of this situation has begun to be understood in boardrooms and living rooms.

So at a time of increased threats to the IT security environment, why do a surprising number of organizations neither see cyber-attacks in real time nor combat them? And why do many organizations not have a Security Operations Center (SOC)?

I believe it’s because we are just beginning to act on that new understanding. We’re just beginning to add the second leg of the security stool:  detection. Detection tools have improved over the last decade, but many organizations have not perceived the threat as costly enough to justify the expense of those improving tools. And without detection, the third leg—response and recovery—is a solution without a problem to solve.

The first step in prevention is what nearly everyone already has at this point—an Intrusion Detection/Prevention System (IDS/IPS). But the advent of Advanced Persistent Threats (APTs) has brought “Tier Two” Breach Detection Systems (BDS). The IDS/IPS is the first tier. And, as has always been good practice, we apply multiple layers of detection at various segments of the network. The more valuable the data, the more sophisticated our tools need to be. It’s also important to be more vigilant when there is greater risk, e.g., when critical or sensitive applications or infrastructure are being upgraded, or when the organization is acquiring or being acquired. These are the moments when malicious actors will be looking most closely for potential vulnerabilities.

Ironically, the poster child for big breaches (Target) does have a SOC, according to an article in Bloomberg BusinessWeek. Target even has a Tier Two BDS from FireEye that alerted on the breach—on two separate occasions. And the alert was communicated to the SOC by its offshore security analysts … but the SOC failed to take action.

That’s the people part of people, processes and technologies. All have to work in concert to keep an organization safe (or at least limit the damage) from malicious actors.

The following two tabs change content below.
David Powis-Dow

David Powis-Dow

David has more than 12 years of information technology (IT) experience gained while in the retail and health care industries, including more than five years in information security. During his time in the health care field, he served as a Windows Server Administrator and Information Security Administrator and reviewed the security posture of numerous health information technology systems.

Leave a Reply

Your email address will not be published. Required fields are marked *