Written by- Kevin L. and Kody T. McLaughlin
If you are a Cyber Security professional do you get as mad as I do when you read and hear
over and over again that Cyber Security professionals don’t have enough talent, skills, or
business acumen to effectively secure systems? I say bull! That’s right bull! In wargame
after wargame I have observed that the defending team must keep an unused port open,
or have a small exploitable vulnerability on their systems so that the attackers have a
chance and the games are interesting. What that tells me is that many of us know what to
do and we have the skills necessary to do it but there are organizational blockers that
prevent us from effectively securing the systems we are trusted to safeguard. Until we
change the business culture into one that allows cyber security professionals the latitude
to mandate that system baselines are kept, that critical vulnerabilities are remediated
immediately, that unused ports and unused services remain off, that comprehensive logs
are sent to a security tool for analytics,etc. we will continue to have data breaches
reported on pretty much a daily basis. Organizational data breaches are getting to be too
common and too severe to be ignored. Already this year we have seen:
- A 56 million card credit card breach at Home Depot
- 4.5 million patient records compromised at Community Health Services
- A breach of over 216 stores at Jimmy John’s
- The discovery of a 2-year, 82,600 patient breach out of Aventura Hospital and Medical Center
- 1.4 million TripAdvisor customers compromised
- A Neiman Marcus breach of 350,000 cards
- A breach of 868,000 cards from 330 stores at Goodwill
Oh well, at least at the end of the day we can forget about these breaches and unwind
with a few video games. That is, of course, as long as they aren’t one of the games like
Destiny and Call of Duty that hackers DDoS’d with little effort.
The bulleted items above are just the high-profile incidents. Numerous smaller
companies have also been compromised. Yet companies still refuse to believe that this
could happen to them. According to the Ponemon Institute, 43% of companies had a data
breach in the past year. It is time for companies to realize the cyber threat isn’t some
boogieman in the closet; it is a real and increasingly present threat.
These threats come with real consequences. According to a report published
by IBM the average cost of a cyber breach is $201 per record compromised. This
averages out to a cost of $5.9 million per breach with some breaches exceeding
$21 million. The IBM report also suggests that customers and investors are becoming
increasingly less likely to continue doing business with an organization that has had a
breach.
Breaches also come with legal battles. Right now, Home Depot is caught in a
firestorm of suits, one of which is to the tune of $450 million for negligence.
It is a sad state that it appears as if Information Security teams are woefully incapable of
keeping up with the increasingly prominent and advanced cyber threat. This isn’t due to
lack of knowledge or talent but due to lack of influence within their organization. It is too
easy and too common for companies to hire CISOs and large security teams to make
themselves feel safe and then when those teams want to change policies, procedures,
or add security controls they are shunned and ignored due to the inconvenience
associated with securing systems. Or, and this appears to be the non-security business
executive’s number one trump card these CISOs and their teams are told “you just don’t
understand the business”; which really means that the business executive doesn’t
understand or believe the security analysis. Worse is that in most organizations these
Cyber Security teams have no power to mandate appropriate action be taken to secure
organizational systems. When organizational charts put the CISO underneath executive
decision makers, instead of high enough to warrant a chair at “the big kids table,” it is
extremely difficult for security teams to make a meaningful change in their organization’s
security posture. Until security teams are given the authority they need to be effective
these daily breaches will continue.
http://www.theregister.co.uk/2014/09/23/call_of_duty_lizard_squad_ddos/
http://www.latimes.com/business/technology/la-fi-tn-community-health-hacked-20140818-story.html
http://krebsonsecurity.com/2014/09/jimmy-johns-confirms-breach-at-216-stores/
http://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted-malware-contained/
http://healthitsecurity.com/2014/09/16/aventura-hospital-reports-82601-patients-data-breach/
http://www.cnbc.com/id/102027979#.
http://www.bankinfosecurity.com/home-depot-faces-canadian-breach-suit-a-7351
http://www-935.ibm.com/services/us/en/it-services/security-services/cost-of-data-breach/
kevinlmclaughlin 