DATA CENTERS

  • 11/26/2014
    8:00 AM
  • Rating: 
    0 votes
    +
    Vote up!
    -
    Vote down!

Network Security Must Focus On Incident Response

Enterprise security strategies need to plan for the inevitable data breach, security experts say.

A successful network attack isn't a matter of if -- it's a matter of when. This is the approach enterprises should take in their information security planning, according to top experts.

"The more connected you are, the more risk you have. There's no way around it," Sean Mahoney, a partner at K&L Gates, told a roomful of compliance and privacy executives at the recent NRS Technology and Compliance Communication Forum in Boston.

"You're constantly looking at risk, and you're constantly accepting residual risk," Christopher Perretta, executive vice president and CIO of State Street Corp., said at the annual Advanced Cyber Security Center conference in Boston this month. Companies need to understand what happens if that residual risk comes to fruition.

This idea of risk acceptance and, therefore, risk management is important because of the sheer number of attacks enterprises face and the devastating consequences of successful attacks.

According to a 2014 Ponemon Institute study on the cost of data breaches, an organization has a 22% chance of experiencing a data breach impacting at least 10,000 customer records in the next two years. The chance of experiencing a breach impacting at least twice that many records in the next two years -- nearly 17% -- is greater than the chance of rolling a given number on a six-sided die.

Experts said enterprises need to be prepared when their number comes up, for these breaches are not limited to the lazy and the negligent.

Former US Homeland Security Secretary Michael Chertoff, now working as a security consultant, said in a keynote at the ACSC conference that some enterprises with the most advanced security are breached repeatedly. "How do you deal with the fact that you are going to be breached?"

Chertoff recounted a particular security assessment he was asked to do shortly after starting his security firm, the Chertoff Group. The client spent time boasting of the organization's physical prevention measures during the assessment. "They were in the process of building a big wall, and they had cameras and sensors." He asked the client what the organization would do if someone came over the wall. The client's response? "We hadn't thought about that.

He proceeded to ask the client imperative questions relevant to a security breach, such as where dangerous materials within the facility were located (to assess how they would be protected). "What I think they learned through this process was that all of the sensors only made sense [with] training and exercise of [a] consequence management plan."

Mahoney said an incident response plan recognizes that "even if you do everything right, there's still a pretty good chance that you're gonna get hit." Also, "whatever you drill for won't happen… but you'll learn a whole lot in the process -- how people work together, how different people interact -- and that can be useful in itself."

Experts said redundancy -- particularly in terms of data backups and machine imaging, as well as backup power generators and redundant IT infrastructure -- is central to a good incident response plan. These redundancies and backups are important not only in terms of disaster recovery, but also in terms of compliance and public relations.

If a device goes missing or a data breach occurs, and it's not clear what specific data was compromised, various laws -- depending on the industry and jurisdiction -- compel disclosure of the breach in a major newspaper of general circulation.

Mahoney put the problem more simply: "You can't answer any [questions] unless you know what data's affected."


Comments

perimeter security

Security experts have been saying for quite a while that perimeter security is broken. Incident response plans are critical in this era of escalating attacks, and they also need to be tested, as Mahoney notes.

Re: perimeter security

Sounds like companies need make sure that Incident Mangers are responsive enough, i guess more precise training would help a lot here.

Re: perimeter security

@Marcia: The term Chertoff used at one point was "M&M security" -- hard on the outside, soft in the middle.

Re: perimeter security

Testing is so important. It's important in all aspects of disaster recovery. What good is a responce plan if it fails when you have a real breach.

Re: perimeter security

I believe Education to end Users and IT Staff is best remedy here, we need to make them understand importance of security measures and quick response to network security incidents.

Re: perimeter security
Adequate training does two things here, prevention and quick response. Certain lapses are often caused misguided employees who should have better. At the same time, proper procedures can help mitigate the effects of a breach. All of this of course follows the assumption that procedures being taught are fool proof. More often than not it's the holes in the procedure that get exploited.
Re: perimeter security

@Sherly: I have seen couple of companies do conduct online web-ex sessions and web based trainings but all employees do not attend these sessions keeping perception that they are not part of IT and they are not required to attend. Companies need to share some kind mandate notice in order to enable their employess for such kind of response.

Re: perimeter security

Apparently there aren't enough generations that grew up on the Internet and smartphones to curb this type of thinking. IT and network security is not just a department concern anymore. Sure an entire department is still necessary in maintaining a vast array of equipment and resources, but regular employess can be vulnerable if they are not properly briefed. The fact a huge percentage of employees still use names and birthdays as passwords continues to be alarming.

Re: perimeter security

One strategy I've heard that's effective in getting end users to pay attention to corporate cybersecurity training is to make it personal -- e.g., bring the training home by showing how easily their personal information can be breached. If the training just lectures them about protecting corporate data, they're more likely to tune out.

Re: perimeter security

"One strategy I've heard that's effective in getting end users to pay attention to corporate cybersecurity training is to make it personal -- e.g., bring the training home by showing how easily their personal information can be breached. If the training just lectures them about protecting corporate data, they're more likely to tune out."

Marcia, saftey and security is with user hands. About 95% of security issues/breaches are happening due to the negligence of user, so proper cyber security education is very important. This will help the users to make sure that they are not compromising in terms of security.

Re: perimeter security

Mynet, I agree that cybersecurity education for end users is critical, but I'm not sure it's always user negligence that causes security problems. Some of the social engineering used by attackers to trick users into opening malware-infected attachments is pretty sophisticated. 

Re: perimeter security

" I agree that cybersecurity education for end users is critical, but I'm not sure it's always user negligence that causes security problems. Some of the social engineering used by attackers to trick users into opening malware-infected attachments is pretty sophisticated. "

Marcia, I didn't meant 'always'. Majority of the incidents are happens due to user negligence, the incident you mentioned is also happening by user negligence. If he/she didn't open; nothing will happen. I mean he/she is in safer side. 

The question is When

Great artcle. It really is a question of when you will have a data breach not if. How quickly you can detect you are having a data breach will be key to how fast you can recover from it.

Expecting walls can be breached

I was under the impression that as long as you put up walls high and thick enough, that would be the extent of ne's security. Several events have taught everyone that sooner or later there will be ways to go around and under walls and contingencies in order to acquire data. It is as if the threat is as high or maybe even more often than real world risks. 

Re: Expecting walls can be breached

Network infrastructure assessment goes beyond merely setting up high hurdles for entry. With the latest breach varieties, market dynamics, POS systems and general retail information are all under threat. So it is important to know that storage - for a start must be dynamic, capable of restore and DR at a moments notice, enough backup options to not warrant a total outage, and regular auditing and compliance rain checks. Besides, in this day and age of IoT, knowing your network topology, remote installation factors, generating assessment reports at every point when a service expires (or is returned) are imperative to keep tabs on your wider ambit of network solutions. bit. ly/ 1tT5OLu - this is a fine starting point. 

Re: Network Security Must Focus On Incident Response

This is something we've been hearing about from consultants and speakers for a while, and I'm inclined to agree wholeheartedly. In fact, more than anything else, the continued discussion begs the question; "why aren't people following this advice?" Maybe more clear standards need to exist - for example, lots of people seem to be preparing for targetted attacks (think of that big wall). Targetted attacks are entirely likely for some businesses (with data that's valuable to attackers), but seem much less likely for the rest of us. The same goes for 'inside job' type breaches and more - companies shouldn't spend disproportionate amounts of effort to prepare unlikely scenarios... especially when, as you say, the likelihood is beyond their control. 

I tend to think the ubiquitous social engineering attacks or vulnerabilities in big software other than your own (think heartbleed) are the much more likely culprits. Likewise, I think lost value is much more likely to be in the form of downtime or the accompanying PR fallout than something with tangible 'value' (some people tend to think competitors are out to steal proprietary code to copy it... sounds pie in the sky to me for 99% of businesses). Therefore, I think you're right on the money, Joe, to suggest that resource allocation to backup, redundancy, and recovery, is of equal (maybe greater) importance. These are the parts of security you can control, so you'll thank yourself later if you have a solid plan in place.

The more connected you, the more risk you have

""The more connected you are, the more risk you have. There's no way around it," Sean Mahoney, a partner at K&L Gates, told a roomful of compliance and privacy executives at the recent NRS Technology and Compliance Communication Forum in Boston."

Joe, yes you are right. The more you connected the more risk you are. The only way to protect is secure the devices with updated security tools and avoid using untrusted networks.