2014 is being called ‘the year of the breach’, due to a number of businesses falling victim to attacks.
During the past year, we have seen a trend in the UK that is frustrating many security experts: web attacks where the infiltration method and the exfiltration method are one and the same.
Attackers are siphoning data over days, months and in many cases years, all of which adds to the fear of social engineering being a prime method of introducing malware into an organisation and presenting the challenge of how organisations should best deal with targeted attacks.
>See also: The 2014 cyber security roadmap
The increase in data breaches over the past year raises the question of whether hackers are becoming increasingly sophisticated in their attacks, or in fact whether businesses are dropping the ball due to the complex nature of managing their networks, applications, databases and technologies, while lacking resources when it comes to security.
Following the data breaches that happened in 2014, there are some mistakes that can be learnt from as businesses go into a new year.
1. Misconfiguration issues
These include weak passwords, using the same password for multiple logins, failing to configure a firewall properly so that it’s blocking outbound traffic, running remote access software even if it’s not needed, failing to run up-to-date anti-virus software and enabling any user to access specific systems even if they do not need access. These areas are easily fixable but businesses continue to overlook them, which makes them an easy target for attackers.
2. Lack of resources
On many occasions we have seen in-house IT teams purchase a security technology only to realise when it arrives that they don’t have the time or manpower to make sure the technology is installed, updated, monitored and continuously working properly. The product then begins to collect dust as it sits on the shelf while the business’s data remains unprotected, or even worse, a false sense of security is created around misconfigured or misunderstood technologies.
3. Security weaknesses across third party providers
When organisations outsource their IT functions to third party providers, in many cases, the providers use remote access software to help fix technological problems within their infrastructure. Unfortunately, many businesses may be unaware that their third party provider isn’t adhering to security best practices such as using strong passwords and two factor authentication.
4. Poor application security
The frequency of web attacks isn’t hitting home for many organisations. According to the Trustwave Global Security Report, it was found that 96% of applications scanned contained one or more serious security vulnerability, with 4 out of 5 businesses admitting that they had rolled out projects that contained known security issues. Organisations must run regular testing and for security to be included in the development cycle, as it is a clear contributor to a large proportion of the compromises found.
5. Lack of segmentation
Too often businesses mix all of their networks together so that all their data, sensitive and non-sensitive, flows through the same networks. This setup enables criminals to access sensitive data more easily since they only need to break into one network to get it. Businesses should segment their networks, so that those carrying sensitive information are separated from those with non-critical information.
6. Non-existent or unpractised incident response readiness plans
When an attack happens, many businesses don’t know who to call, what to do next, how to contain it and critical steps to help minimise the damage and get back to business as usual. Implementing and testing an incident response readiness plan can help businesses identify and remediate security weaknesses, detect compromises faster and minimise the damage from a breach. Findings from the 2014 Trustwave Global Security Report showed that on average it took organisations that self-detected a breach to contain the breach one day, whereas it took organisations 14 days to contain a breach when it was detected by a third party such as law enforcement or a regulatory body.
As businesses head into 2015 and beyond, they must make sure they don’t get sloppy with their security. Businesses and third party providers must use methods such as complex passwords, two-factor authentication and follow security best practices.
Sourced from Michael Aminzade, Trustwave