Microsoft Technical Fellow and renowned cybersecurity expert Mark Russinovich asked a room full of public-sector technology professionals at last week’s U.S. Public Sector CIO Summit how they reacted to the South Carolina data breach last year. Described by Russinovich as not terribly sophisticated, the attack on the state’s Department of Revenue jeopardized 3.6 million Social Security numbers, as well as credit and debit card data for hundreds of thousands of taxpayers.
Not surprisingly, most in the room could sympathize with South Carolina’s predicament in the wake of the breach, admitting to some degree of vulnerability in the area of cybersecurity. Russinovich offered several characteristics common to organizations that have suffered a breach -- rather than being wholly negligent, they have several practices in place intended to mitigate their risk.
|Typical Breach Victim|
|Has several methods of protection in place, including intrusion detection and anti-malware|
|Has a “security event manager” correlating gigabytes of data and responding to hundreds of alerts on a daily basis|
|Often learns of compromise from other means (ex: South Carolina was notified by the Secret Service, based on data from external signals)|
“The fact is that if you’re in the public sector, you’re as much of a target as anybody else,” Russinovich said, outlining impacts to an organization’s reputation and bottom line. The United States’ cyberstrategy, while not discussed openly, is at a level equal to military operations, he argued.
“We do treat cyber as the fifth domain, so the United States recognizes cyber now as on par with air, land, sea and space when it comes to conflict, and we’re weaponizing it the same way that we weaponize those other domains…” he said. “If there’s a conflict, it’s going to, without a doubt, spill into cyberspace and in fact, most conflicts will probably start in cyberspace with a cyberattack on the opposing party.”
In light of how devastating a cyberattack can be, and how difficult it is to guard against one, Russinovich did offer some practical advice to public sector agencies looking to protect themselves.
1. Identify, isolate and contain high value resources/accounts. Social Security numbers and some credit card numbers were not encrypted in the case of South Carolina. While officials explained that encrypting this personally identifiable information wasn’t required, Russinovich calls the practice common sense, and the state’s failure to do so was a costly one.
2. Archive logs and employ other forensics readiness practices. The South Carolina breach was simple to reconstruct after the fact using forensic evidence, allowing contractor Mandiant to pinpoint the source, timeline and compromised machines. Having these practices in place simplifies your response.
3. Have an incident response plan. “You don't want to be making things up on the fly -- you want to be prepared,” said Russinovich.
4. Do not piece-meal mitigate; quickly execute a holistic plan. Two weeks went by between the time the South Carolina breach was announced and when the state declared that the vulnerability was addressed – a critical window of time that represents an opportunity for attackers to entrench themselves deeper within the network.
5. Run drills and “red team” exercises. Test your confidence in your cybersecurity defenses by hiring a penetration tester to look for weakness and potential entry points. The process, according to Russinovich, will be eye-opening.
“I think you'll be shocked at how effective they [penetration testers] will be at getting to wherever they want to go, unfortunately," he said, "but you will learn something along the way, and hopefully block some path that an attacker might've taken.”