Thales Blog

Breaches And More Breaches - We Need To Play A New Game!

May 12, 2015

3-11 imageIt’s been one crazy year – just a quick search on cybersecurity and you see companies staging data breaches in order to extort money from clients, Obama signing a new cybersecurity executive order as well as Russia and France tightening their cybersecurity controls.

ClickToTweet: It's time to play a different Data Security Game! @socialitis #DefenderOfData

Executives are finding that the biggest struggle when it comes to cybersecurity is where to trust their investment, what companies to look to and what solutions are most effective. Needless to say, the state of data security is a serious problem. And here are just a few of the many data breaches we’ve seen as the thunder continues to roll:

  • Sally Beauty Supply: Cosmetics retailer Sally Beauty Supply is investigating what could be the second data breach in just over a year (the first breach occurring in March 2014 effected 25,000 customer records). The company received reports of unusual activity involving payments cards.
  • Whitehouse network: In October last year, the Obama administration revealed that an unclassified computer network used by the US government had been infiltrated by hackers. The security breach caused temporary system outage. Later reports said the incursion was far more intrusive and worrisome than publicly acknowledged.
  • Tesla: In late April, Tesla’s site and a number of its Twitter profiles were hacked. The company released details of what went down, which included social engineering on behalf of the hackers who abused AT&T customer support. Investigation confirmed that hacks were not malicious and solely a prank.
  • WordPress: In April 2015, WordPress identified a Zero-day that made it easy to hijack millions of websites. The WordPress content management system used by millions of websites was vulnerable to two newly discovered threats that allowed attackers to take full control of the web server. Attack code released targets to one of the latest versions of WordPress, making it a zero-day exploit that could touch off a series of site hijackings throughout the Internet. About two hours after the vulnerability was discovered, WordPress released a critical security update to fix the Zero-day vulnerability.

Just short of two weeks after the first vulnerability, a security researcher also uncovered a critical cross site scripting vulnerability in a WordPress plugin that allows attackers to hijack its website. The plugins were JetPack, a customization and performance tool, and Twenty Fifteen, used for infinite scrolling. WordPress installs Twenty Fifteen by default, which increased the number of vulnerable sites.

  • Seton Family of Hospitals: Approximately 39,000 patients received letters about a breach in which hackers accessed protected patient information, including demographic information, medical record numbers, insurance information and Social Security numbers. Seton was notified of the breach in February.

Let’s think about hackers for a second

When you think about hackers, the obvious stereotype is the guy who sits in his basement with little to no social skills. Now to say this is far from the truth would be a complete understatement.

Investigators of Anthem data breach were pursuing evidence that points to Chinese state-sponsored hackers who are stealing personal information from healthcare companies for purposes other than profit. The Canadian government accused China of hacking the IT infrastructure of the National Research Council of Canada (NRC) (Canada’s top technology and science research organization). Additionally, revelations surrounding attacks infiltrating JPMorgan Chase & Co. left questions about state sponsored attacks.

Nowadays, the word hacker has such larger ramifications and the physical effects are real. We need to get a grasp on the data breach trend before it spirals even further out of control.

The man that changed everything

I don’t need to tell you that Snowden’s leak changed the world as we know it today. And while Snowden opened the door to the most controversial surveillance program, even two years later, Snowden’s revelations have had quite the rolling effect. On May 7, The US court of appeals ruled that the bulk collection of telephone metadata is unlawful, despite the NSA’s claims that data collection should be protected under the Patriot Act.

State-sponsored ‘monitoring’

Following a much different track than that of the US, this month the French parliament has overwhelmingly approved sweeping new surveillance powers in the wake of the January terrorist attacks in Paris.

The new bill, introduced in Paris, allows intelligence agencies to tap phones and emails without seeking permission from a judge. With wide support, the bill was passed in the national assembly by 438 votes to 86.

Two developments in Russian law limit the ability of cloud and other online services to publish online content and to make Russian data remotely available online. The first requires data operators to store information locally of Russian citizens. The second is censorship requirements on certain website operators and electronic communication services.

Privacy, whether on an individual, enterprise or state level has become all the talk nationwide. And while the US ruling on the NSA’s activities point toward US opinion on the matter, countries are still trying to keep up with that perfect balance of monitoring for the ‘bad guys’ while maintaining privacy.

What does this all mean?

In lieu of recent breaches, companies are also taking a different approach, grasping at their seat and changing the way they are securing data. Our 2015 Insider Threat Report global results found that only 7 percent of organizations believe they will be in a position to spend less on data protection and information security this year than last year.

The global survey results showed that 54 percent of respondents plan to increase their security spend to deal with insider threats next year and the remaining 39 percent will be spending at least as much as they are now. Below are a few results from our insider threat report:

  • 55% of respondents globally (59% in the US) believe privileged users pose the most threat to their organization
  • Almost half (44%) of U.S. respondents had experienced a data breach or failed a compliance audit in the last year (40% of respondents Global, and 48% in ASEAN)
  • 89% of Global respondents said they were somewhat or more vulnerable to insider threat – almost 2X the number in 2013 (In the US the number was higher – 93

Staying on top of security breaches

It’s clear we need to stay on top, or potentially get on top of these security threats. To do so, we all need to “get with the program” - not just play the same old game and get the same old results:

  • Many breaches start with simple to correct problems, like failures to keep security patch states current, or misconfigurations. The tools are there to stop these problems, and have been for years – we need to use them, and motivate organizations that don't to make it a priority.
  • Organizations also need to admit to themselves that their defenses can no longer keep attackers outside their perimeter – Determined attackers will find a way in – and compensate for this.
  • Data centric protection is the most effective protection when this happens, and needs to become a required layer in every enterprises security posture.
  • Multi-factor authentication stops many cyber attack methods dead in their tracks - but accept for a few outliers in sectors with the highest requirements, it isn't used.  It can be as simple as Google's authorization for new devices required via a text to your mobile phone - any step forward greatly reduces possible methods of entry.
  • The lack of Cybersecurity professionals is also worrying – Our young people need to see themselves as cyber-defense heroes, not as the dismal nerds locked in their parents basements (and eating Twinkies) that we talked about earlier, or this problem won’t be resolved.
  • Best practices need better recognition and standardization – and must be flexible and extendable as threats change hour by hour, and day by day.
  • Threat sharing is already a de-facto part of many vendor’s offerings, and current efforts to extend this across vendors and solution sets should be tried as a way to more quickly offset new attacks.

Cyberdefense needs the same kinds of priorities we give to law enforcement and national defense – the Internet really is a frontier that reaches nearly every home – and it’s wide open.