What We Should Be Learning and Doing Based On Today's Data Breaches
By Deborah Blyth, CISO, Colorado Governor's Office of Information Technology
As I continue to reflect on all of the data breaches over the past several months, there are certain consistencies that emerge, and there are specific actions these breached enterprises are taking to strengthen their attack prevention and data protection capabilities. If other enterprises can learn from and apply these same corrections, they can significantly reduce their own level of risk. I found myself telling my team recently “let’s do these things now, let’s not wait for the breach to happen to us.”
"It’s very important to have an inventory of your systems, but even more important to have an inventory of all of the places where sensitive data is stored "
Implement workstation and laptop controls to protect users.
Nearly all of the most recent large data breaches have involved phishing and malware, reinforcing what we’ve known for awhile - users are the weakest link. Not only do we need to continue to educate and remind, we need controls in place for when the user does click on the link, which WILL HAPPEN! Things like reducing administrative privileges to enduser computing devices, implementing application whitelisting and host intrusion prevention provide some of those controls. At the State of Colorado, we recently deployed host intrusion prevention across all of the workstations and laptops in our environment. While we did need to create some custom exception rules for a few poorly-coded applications, the implementation was successful with fewer users impacted than initially envisioned. We used a very methodical process, selecting pilot groups, resolving issues, following our change management processes and implementing a specific number of workstations per change window. Early success allowed us to increase the size of those deployment groups, which enabled us to finish our deployment of more than 29,000 end-user systems 10 weeks ahead of our planned schedule. This provides an additional layer of defense expected to prevent the types of behaviors malware commonly exhibits.
Inventory Sensitive Data.
It’s very important to have an inventory of your systems, but even more important to have an inventory of all of the places where sensitive data is stored. The ideal security architecture would be to isolate those systems and apply your greatest level of security controls to those. However, even when that has been standard practice, I have often discovered that users had generated reports or downloaded subsets of data and were storing these on network-attached file shares in the environment. Specific types of data loss prevention tools, including tools with scanning capabilities were needed to find sensitive data in all of the places users were storing it. These tools became effective for coaching and retraining users and for discovering business processes that needed to be updated to include appropriate masking or removal of data. Implementing data loss prevention tools was an eye-opening experience, creating the opportunity to clean up the data sprawl and reinforce enterprise data handling policies.
Encryption is paramount.
Ensure that sensitive data is appropriately encrypted. If a breach does occur and encrypted data is stolen, data owners can be assured that their data is still protected from unauthorized access.
Multi-factor or two-factor authentication is overdue.
We’ve all deployed special-purpose two-factor authentication to pass Payment Card Industry Data Security Standards (PCI DSS) or Internal Revenue Service Federal Tax Information requirements (IRS FTI), but it’s time to deploy this enterprise wide. The implementation should start with all system and network administrators, progress to include all users remotely accessing networks containing sensitive data, and then you should consider whether it should encompass all employees of your organization. Don’t forget to include your service providers and external parties who have access to your network for support and other services – all remote access to your network should be authenticated using two-factor authentication. While we’ve known for more than a decade now that passwords alone are not good gatekeepers to our networks, most enterprises have been slow to widely adopt two-factor authentication.
Fix known weaknesses.
Go through your old audit findings and ensure you’ve fixed these across all systems in your environment. Auditors don’t typically have to dig very deep to find problems – that’s true in every environment. However, mature organizations develop remediation plans to ensure that known security weaknesses will be corrected in a timely manner. While no enterprise can state that they have no security weaknesses, it is critically important to proactively discover and correct those weaknesses on an ongoing basis.
Implement a vulnerability management program.
Existing vulnerabilities can be used by attackers to gain access to your environment. Systems need to be regularly assessed to determine whether vulnerabilities exist and vulnerabilities need to be remediated on an ongoing basis. If your program is ad-hoc, it needs to be formalized to ensure vulnerabilities are detected quickly and that re-scans are occurring to validate these have been fixed.
Practice good security hygiene.
Convey your expectation to your team and prioritize the effort to ensure you are maintaining good security hygiene. Validate this by testing your level of patching, compliance with your hardening standard, and the time it takes to fix vulnerabilities detected during your vulnerability scans. These are good metrics to enable your team to report to management, how well they are doing in maintaining good security hygiene.
Ensure new systems are deployed in a pre-hardened configuration.
Systems that aren’t built to a specific secure configuration standard or tested to ensure they meet security configuration requirements are likely going to be built and implemented in a lessthan secure state. Using something like the Center for Internet Security Configuration Assessment Tool (CIS-CAT) allows you to measure your configuration against a standardized security configuration guideline to determine how well it conforms to industry recommendations as well as internal policies. It’s good to have a checklist for implementing new systems, even better to have a gold image that is always used for deployment, and best to use a combination of the gold image and configuration assessment tools to validate that the gold image was correctly deployed and that the configuration is meeting standardized security configuration recommendations.
Have an incident response plan in place and practice it.
Include others outside of your department and key business partners so that you get different perspectives and discover issues that your team alone wouldn’t likely discover. Practicing your plan and updating with lessons learned will ensure that your incident response plan is actually useful when needed.
Improve incident detection and response.
Ensure that your security monitoring team is trained to spot the anomalies and to react quickly to contain security incidents. If you haven’t updated your technology in the past decade, it is probably time to do so. Next generation technology can highlight activities that older technology simply wasn’t able to detect.
There is a lot we can learn from the recent data breaches, especially when we examine the actions the breached enterprises are taking after the breach. The recommendation I recently gave to my team was to use the breaches we are hearing about in the news, combined with our own assessment of the weaknesses in our environment, to garner support to take those actions we know we need to take NOW – let’s not wait for the breach to happen! I would challenge all of my security friends to do the same.