No cybersecurity defense is complete without breach detection and a response plan.
We wrote last week about the threat ransomware poses to your business, and strategies you can use to prevent your system from being compromised. While ransomware can grind your business to a halt by holding your data hostage, there is one way in which it is less dangerous than other malware: it makes itself known right away.
Ransomware usually only remains hidden on your network long enough to spread itself to other areas of your system. Once it has propagated, it initiates the encrypt-and-ransom sequence which makes it so dangerous. But malware that is designed to steal your data benefits from remaining undetected. The longer it can remain hidden within your system, the more information it can leak to its creator.
Because of this, it isn’t enough to have strong safeguards in place against a security threat. You also need systems in place that will monitor your network and alert your team to unusual activity. This is one of the key lessons of the Equifax breach, which provides an excellent case study of all the things that can go wrong in a massive security leak.
What you can learn from the Equifax breach.
The Equifax data breach began in mid-May, 2017, but was not detected until July 29th—a full two and a half months later. In that time, hackers stole personal information for over 145 million United States consumers, and potentially the data of several million more consumers in the U.K. and Canada. The full ramifications of this breach on those affected are as yet unknown, but the stolen information is enough to fuel untold cases of identity fraud.
There were several factors which lead to the Equifax security breach. The initial hack targeted a flaw in the Apache Struts web applications. Although Apache Struts had released a patch in early March to address this weakness, Equifax still had not installed the update by the time their network was compromised in May.
The data leak was made worse by Equifax’s poor system segmentation and inadequate encryption of sensitive data. And, of course, Equifax’s failure to detect the security breach for over two months gave the hackers extra time to gather and use the data with no one the wiser.
Anyone familiar with the WannaCry hack will recognize the theme of malware exploiting a flaw in software that hadn’t been updated with the appropriate security patch. Proper encryption, firewalls, and access controls between networks can also prevent a weak point in the system from spreading.
But without breach detection software, all these measures are like locking your door and leaving on vacation without enabling your security alarm. You might deter some burglars, but the determined thief can break in and be long gone before you notice.
Deploy real-time monitoring software.
The tools you use to detect a cybersecurity breach will be critical in mitigating the threat before it spreads through your system. Fortunately, newer software can deliver information about sustained attacks in a manner that is easier for your security team to prioritize and interpret.
Old malware detection software tended to deliver incident reports that were poorly organized and contained little prioritization. Employees whose job it was to monitor these reports quickly found themselves lost in a sea of alerts without many good ways of differentiating the real threat from the many false alarms.
Modern breach detection software can look for larger patterns that might signal a more significant threat, and then deliver security alerts that highlight the most suspicious activity. This might include computers or Internet connections that seem unusually slow, unexplained activity during off hours, files being renamed, moved, or installed without reason, or irregular outgoing data.
Cybersecurity employees will also need training to understand the significance of these warnings. With cyberattacks growing ever more sophisticated, it takes an increasing level of knowledge to recognize an attack and respond accordingly.
Pay attention to recent developments.
Cybercrime and cybersecurity are in an arms race for control of your network. As fast as cybersecurity companies develop new strategies and defense systems, hackers are working to undermine them. This means you can’t just install a system once and expect it to last indefinitely. Unless you proactively update your systems to respond to new threats, your security systems will quickly lose their usefulness.
The fast pace of technological change compounds the problem. Every new tool carries with it the possibility of a security breach. And as businesses become more reliant on IoT technology, hackers will have more ways to access data—as happened just a few months ago when hackers accessed a casino’s network via software they had been using to regulate their fishtank. To stay secure, businesses should run a security assessment of new technology before they grant it access to their system.
In other words, businesses should focus their resources on staying at the forefront of cybersecurity measures, but may want to hold off cutting edge technology until the software has been user tested and some of the bugs worked out.
Don’t make a Titanic mistake.
Have a protocol in place for when a breach happens—not because it will happen, but because failing to plan for one is foolish. This is, after all, the lesson of the Titanic: no ship is so unsinkable—and no cybersecurity defense so impenetrable—that you can afford not to plan for a breach.
Again, one of the major failures of the Equifax leak was long delay between their own discovery of the breach, and their public acknowledgment that a breach had taken place. This delayed the criminal investigation into who was behind the attack, and it prevented those whose data had been stolen from taking appropriate countermeasures.
An appropriate response plan notifies both the people most capable of handling the security threat, and those most at risk from it. It also ensures that any individual who receives an alert knows what their role is in handling the problem. Your business may be required to include several other precautions in its defense plan if you fall within certain industry compliance regulations.
Don’t become the weak link.
It would be hard to overstate the consequences of a security breach for both businesses and their consumers. Corporate data theft can compromise a business’s economic advantage, while an individual’s identity theft can have ramifications that affect them for years. Meanwhile, companies which are responsible for such a leak due to negligence can face litigation for failing to follow sound cyber defense procedures.
The Department of Defense has recognized the cost of these leaks, and has issued new requirements stating that all contractors and subcontractors must meet NIST SP 800-171 compliance standards by the end of the year. These protocols provide guidance for businesses on how to handle and store sensitive information, how to control access to that information, and how to report security breaches should the occur.
If your business contracts with the DoD, or subcontracts on DoD projects, these standards apply to you. Brightline can help you understand the new regulations, and we can work with you to achieve compliance. Download our NIST white paper to learn more.