Breach Prevention Is Dead, Encryption Is King

data breach, security breaches

BLOG: Gemalto’s Jason Hart says businesses need to turn attention towards ‘secure breaches’

It’s time that executives and information security professionals accept the fact that their companies will be breached and start thinking outside the box when it comes to data security.  To be in denial of this truth is to not accept reality.

Indeed, based on what happened last year, 2014 should go down as a tipping point for how companies approach data security for years to come.

Some of the biggest companies in nearly every major industry were breached in 2014, from Moonpig and JP Morgan Chase to Sony Pictures.  According to the Breach Level Index, there were 1,540 reported data breaches worldwide last year, nearly a 50 percent increase compared to 2013.

Inevitable breaches

data-breachWhat’s even more troubling is that the amount of information being stolen has increased dramatically.  Nearly one billion data records were either lost or stolen last year, representing a 71 percent increase compared to 2013.

The reality is that no matter how much money and time is spent protecting information and assets, cybercriminals will always find a way past perimeter defences.   Last year, we had more than 1,500 examples of this.

They targeted vendors in order to insert malware in retail companies’ point-of-sale systems.  They went after employees with social engineering attacks and stole corporate log-in credentials. The list goes on and on, and with increasing frequency and effect.  Here is a statistic to consider.  The number of data breaches involving 100 million customer data records or more doubled in 2014.

Yet, despite the growing size of data breaches, the vast majority of companies still continue to rely on breach prevention as the foundation of their information security strategies.  This means they focus on building walls around the data perimeter security technologies and monitoring those walls for intruders.  Unfortunately, this approach has not been working very well.  Maybe it’s time for a change.

A New Mindset for Data Security

How do we change the status quo and usher in a new era where it is possible to have a secure breach with an approach to security that keeps valuable assets secure even when hostile intruders have penetrated the perimeter?

First, companies need to understand why they are not winning the war against hackers and cybercriminals. Because they stubbornly adhere to Einstein’s definition of insanity: doing the same thing over and over again and expecting a different outcome. In this case, that same thing is responding to breaches by investing disproportionate sums of money in perimeter defences in a futile attempt to prevent breaches.

identity deception fraud social engineering security © Pretty much everyone knows that passwords aren't supposed to be shared. Passwords exist to protect your information and your employer's information from being seen by people who shouldn't see it and who could cause serious damage if they do access it. This is why you have a strong password on your banking information (you DO have a strong password on your bank account, don't you?) So how is it that Edward Snowden managed to get the passwords that gave him access to thousands of secret documents? According to a story from Reuters, Snowden did it in the easiest way possible. He asked for it. But of course there's more to it than that. What Snowden did was tell a couple dozen of his coworkers that he needed their passwords because he was a system administrator. Those coworkers, knowing that Snowden was fully cleared, figured it was safe, and gave him the passwords. Snowden used that trust to raid the NSA files of everything he could find. Remote Data Replication: Combat Disasters And Optimize Business Operations Watch It Now Leaving aside the propriety of what Snowden did, the fact that he was able to get the information he did with other people's login information speaks volumes. Perhaps more important, it speaks those volumes directly to you and your employer. Snowden exploited a weakness that exists at nearly every company or organization and which can be overcome only by having the right security policies and the right training. That weakness is trusting the wrong people at the wrong time. The obvious question is how this applies to you and your organization. After all, the chances are pretty good that you're not sitting on a pile of state secrets. But the chances are that your company has plenty of information that has value to your competitors, to criminals, or to people who want to use that information for other dubious purposes. Do you really want the outside world to see your customer list? Your financial statements? Your supply chain or manufacturing details? Probably not. Unfortunately, if you lose control of your organization's passwords, you're doing just that. But you can limit the problem by implementing some basic practices, making sure your staff is trained and then retrained frequently. Here are some things you can do: 1. Require passwords that are hard to guess, but don't go overboard. If you require passwords that are too complex, nobody will remember them. You know what happens next—yellow sticky notes on their monitors. That doesn't really help security. 2. Control what happens if a password is shared. It's easy to say that your staff should never under any circumstances share a password. But that's not how things work in the real world. Sometimes a system administrator really does have a reason to request a user's log-in credentials. 3. When that happens, what should the user do? That depends, but at the least they should know that they should then immediately change the password. You might also want to require that any password-sharing request be reported on a routine, easy-to-fill-out form that will disclose the action to whomever you designate to handle this, such as your IT manager. 4. Make password changes easy to accomplish, and automate the reporting process so that every such change is logged. 5. Don't depend on complex control software as a primary means of user verification. It might be useful, but nothing works as well as good practices properly followed. Remote Data Replication: Combat Disasters And Optimize Business Operations Watch It Now Require two-factor authentication for access to information that's really important. Many companies use a smartcard that doubles as an access card and organizational ID card. This reduces the problem of stolen log-in credentials. More complex methods of access control certainly exist and should be used under extraordinary situations, but are not always appropriate. It's important to remember that maintaining access security requires the willing cooperation of your staff. This means that you have to tell them what needs to be protected, the means they should follow to protect that information and what they should do if they suspect that protection has been compromised, even by someone who claims a plausible reason to do so. Here's one way such a procedure might work: One of your workers with access to something sensitive, such as human resource data, requests help with a problem logging in to the network. Somebody from the help desk asks for the log-in credentials to see what the problem is and to try to fix it. The person being helped provides the information and then immediately sends an email to a designated manager saying something like this: "I provided my log-in info to Sam Smith from the help desk to fix a log-in problem. My extension is 123." Once the log-in problem is solved, the employee should immediately change their password. That change will be recorded by your network management system where it can be verified by a manager or security staffer. Will that eliminate all data loss? Of course not, but it will eliminate some of it. It requires little in the way of resources and it allows management follow-up since problems—including an administrator who seems to be asking for a lot of passwords—will show up quickly. While you can throw automation at such a problem, at some point the most basic answer is training and management. It's hard to be more effective than that unless you already have training and management practices to enforce password discipline in place already. ShutterstockSecond, companies should stop pretending they can prevent a perimeter breach.  They should accept this reality and build their security strategies accordingly.  Admitting a problem is the first step in the road to recovery.  It’s very likely that companies are spending 90 percent of their security budgets the same way they did back in 2005, which undoubtedly focuses on perimeter and network defences.

Now, this isn’t to suggest that organisations should stop investing in key breach prevention tools. What they need to do is place their bets on strategies that protect their most valuable assets. Just like the military, IT should always presume to be functioning in a compromised state.

The third step is protecting your company by making it so difficult to access what they crave that they give up and move on to someone else. In business terms, you create a very poor return on their investment in trying to steal your data.  However, you don’t do it by building a bigger wall around your house.  Cybercriminals will simply build a bigger ladder.

Encryption

So, how do you do this? First, you put yourself in the mind set of your adversary and understand what they want to steal from you – and this is always your data. From there, you’ll quickly realise that security must be moved closer to what really matters – the users who access the data and the data itself. Obviously, this means stronger user access controls and encryption.

Multi-factor authentication and user access controls ensure the identity of the user and restrict access to data only to those individuals who have the rights to it.

Ultimately, however, it is encryption that is the real ROI killer for any would-be attacker. By attaching the protection to the data, you’re killing the value of the data once a breach has taken place, and you’ve made the breach largely benign since no data has truly been compromised.

If more companies moved away from breach prevention toward securing the breach with encryption, then more consumer data and sensitive information would be safer and breaches would not be so serious a matter.

Jason Hart is vice president of Cloud Solutions for Identity & Data Protection at Gemalto