Reactive Security: Feel the pain in 2011+
We are only one third of the way into 2011, but we have had some of the largest information security breaches of the decade – and the trend does not appear to be slowing down.
Here are just a few of the biggest reports for the year:
These attacks are coming so fast and furious, that people don’t have time to digest the impact of the first one before the next one is upon them.
For example: Only a few weeks have passed, but for most people, the Sony Playstation Network breach has completely overshadowed the Epsilon breach, which had been the biggest topic of the past month.
Verizon recently released its annual data breach report, and it notes that there are more attacks, even as the amount of data being stolen is diminishing. Although the report suggests that attackers are turning away towards smaller targets, I expect that we’re going to continue to see some big names getting hit, because that is where the bulk of the data resides.
The SMB market also needs to make information security a top priority, because as they automate more of their operations, and make use of cloud computing and outsourced providers, or even keep things in-house, but hosted on centralized systems, they will become juicier targets. Let’s not forget that many automated attacks still take place on the Internet, so it’s not likely that an attacker cares who you are before they exploit the <insert name of application> vulnerability which exists on your website.
The big boys of the industry have to beware as well. Targeted attacks have been growing for about 5 years, and the malware/intrusion market is growing rapidly. There is simply too much to be gained from these attacks, whether in the way of email addresses for spamming or phishing, or financial data for a variety of uses. Consider this semi-successful spear phishing attempt against Condé Nast.
Presumption of Security…
There is this prevailing notion that the larger organizations in any industry have the budget and the process to address proper information security. This is typically emphasized by various service providers to persuade potential clients that they will be a better custodian of their client’s data because they are better equipped to secure it properly.
Yeah, well, theory and reality are not always in harmony. Even organizations which should put Information Security and Risk Management at the forefront of their operations typically put it somewhere behind performance and functionality. As business and personal consumers, we want to be secure, but we don’t want to pay for it, and we don’t want to have to change any of our habits in support of it. In short, we value price, convenience and functionality far more than we value security.
Newsflash: This is just as true for large organizations as for small ones.
I found it interesting that both RSA and Sony made references in their post-breach communications about “beefing up security”. Excuse me? Does this mean that you were following best practices and something new happened, OR does it mean that you weren’t doing everything you could already have been doing given the type of data being maintained and the risks that you *should* already know about?!?
The former is excusable. We know that security is something we have to keep up with, because there is no permanent secure state so long as the system has legitimate paths of access. But, to be lax about best practices and get burned by them… Especially for RSA which is a security company…
Word to the Wise…
Please bear in mind that this trend of attacks is not going to diminish anytime soon. As more and more businesses come online, and more consumers go mobile, and more personal data is stored centrally for marketing and ecommerce purposes, you can expect that the attacks will increase – and that they will come from multiple vectors. We are growing ever interconnected, and this provides advantages to us for our own data, as well as advantages to the bad guys for our data.
And, they are making real money from this, which they are diligently putting back into improving their techniques – at a rate that currently surpasses what we are willing to spend to counter those attacks. More importantly we are largely unwilling to change our behavior to improve our security posture.
We are after impact-less security, and we are only willing to apply such security after the fact – once the horse has effectively left the barn.
There are some key principles of information security that should never be forgotten or overlooked:
- Proper security always costs less when implemented up front. It needs to be a part of the business and technology strategy from the very beginning.
- Security is more insurance than investment. It is largely about protecting your revenue, rather than generating new revenue.
- If you are not regularly evaluating the efficacy of your security, then you don’t really have any. If you cannot monitor it, it does not really exist.
- There are soft dollar costs of a breach (reputation, breach notification, legal fees, time for investigation) which no one ever remembers to include in their calculations
- A single security incident can totally erase all the cost savings you experienced for the past x years of not having a security tool in place
I’ll expand on these in a future article. In the meantime, don’t wait until you are attacked before you put the right things in place, and don’t try protecting yourself in 2011 using techniques from 2006. Things have changed, and you need to adapt accordingly. This is true for small AND large businesses.
If you wait until an incident before you determine if your security posture is really up to snuff, it may be too late for you in terms of immediate hard dollars, increased scrutiny, damaged reputation, and overall distraction.
This may be the year that we finally understand that reactive security is simply too expensive for business. Hopefully.