Here is yet another data breach headline, published yesterday (July 1, 2015) by Brian Krebs. Here is the link to the article.
Who is the latest victim? None other than The Donald himself. It seems the banks uncovered a trail of credit card fraud leading right back to Trump Hotel properties. This one has apparently been going on since Feb. 2015.
We’re early in the cycle of this latest sensational data breach, but they all follow the same pattern. Watch for it with this one. Here’s how they unfold.
- Lax or dysfunctional management ignores all the warnings about potential IT security problems. Those techies – all they want to do is spend money on tech toys. We sell hammers or hotel rooms or clothes. Or we’re a Government HR department. Or we make movies. We’re not a tech company.
- A sensational news story hits the wires. Millions of credit card numbers stolen! Personal information stolen by the Chinese! Fortune 500 company brought to its knees!
- The CEO or other leader of the breached organization puts out a press release. “We take our customers’ privacy seriously.” The press release includes a generous offer of worthless free credit monitoring for potential victims for a year.
- PR teams gear up as leaders in the breached organization fill the airwaves with excuses and all the important steps they’re taking to mitigate this breach. They use words like “sophisticated” and “criminal syndicate” or “nation state” to describe the attackers.
- Columnists and bloggers express outrage. (That’s what I’m doing right now.)
- Lots of people share commentary about how awful this all is and the poor state of our security. But nobody shares any specifics about conditions leading up to the breach, how the bad guys penetrated the victim organization, or the get-well steps. (I saw one exception to this in a KrebsOnSecurity.com post about the Sally Beauty breach.)
- Embarrassed Boards of Directors and other VIPs outdo themselves with knee-jerk reactions as they pour a fortune into closing the barn door after the horses have already escaped.
- Sometimes, a major news magazine does an in-depth story about the personalities involved at the victim company a few months later.
- The story eventually fades away and the public is left to believe that breached companies are helpless victims of sophisticated criminal syndicates or nation-state sponsored terrorists. There’s nothing anyone could have done about it.
Don’t believe this crap for even one second. Every single sensational data breach we’ve read about was preventable. Every single one.
Want to fix the problem instead of putting out CYA press releases? Here’s what needs to happen – and it doesn’t cost a fortune.
First, a tactical step: Improve the topology. Put the most valuable systems behind an internal firewall with a white list and log access to it. Notify the right people if the systems holding that critical data try to communicate outside the white list. I have something to gain here because I build firewalls based on open source technology – re-branded as software defined perimeters because the concept of “firewall” is rapidly becoming obsolete. My SDP appliances can compete with any system from any manufacturer and win. Here is some more information.
Second is vigilance. When we peel back the onion layers on these breaches, we find too many people asleep at the switch. Or nobody minding the store. Pick your metaphor. The Chinese run rampant through the US Office of Personnel Management network and nobody notices traffic flying to China? What’s up with that? The North Koreans run rampant through Sony Pictures and nobody notices? Let’s call this what it is – carelessness from the people who should know better.
And that leads to the third step: Openness. This is counter-intuitive, but organizations should publish what they do for security. This doesn’t mean give away passwords and encryption keys. But publish their standards and methods. In detail. Present at conferences, do media interviews, and open up to community scrutiny. This is a departure from traditional large organization operating procedure and I can already hear the screams of agony: “If we tell the world how we do security, then everyone will know and it will be worthless!”
I answer that with a question: “Given recent sensational data breach headlines, how’s the current operating procedure working out?” Right now, only the bad guys know the relevant details and they’re plundering us. So level the playing field. Open it up. The surviving encryption methods are all open and well-known. And hardened because they’ve passed a gauntlet of public scrutiny. Business and government should take a lesson.
Do those three things and IT security will naturally gain the attention it needs at the top levels of business and government and appropriate investments will follow.
Finally – want to read a fiction novel with a realistic story about how a sensational data breach unfolds? Check out my new book, Bullseye Breach.