An industry executive debunks common myths about the data breaches that plague both the private and public sectors.
It seems we hear about another breach every day. While we are in a constant search for a solution, unfortunately, there is no single, simple answer.
But this doesn’t mean we have to accept defeat. One of the first steps is to recognize that many promoted opinions about the cause of breaches and the failures of technology are actually myths. These myths obscure a path to increased security and better risk management. And debunking them is an important step towards improving the effectiveness of our security defenses.
Myth #1: Most threats and attacks are very sophisticated
With today’s APTs (Advanced Persistent Threats), zero-days and sophisticated exploits, it has become fashionable to throw up our hands, feeling helpless. It’s clear that trying to stop these attacks is difficult.
But according to Verizon’s 2013 Data Breach Investigations Report (DBIR), 99 percent of breaches involved techniques that were not considered highly difficult. Most data breaches are successful not because of some new, highly sophisticated form of attack. Rather, they are successful because the attackers found an easy, simple point of entry.
Myth # 2: Network controls are useless since all attacks now are layer 7 application level attacks
While many attack attempts come in via port 80, the port used by Web traffic, it doesn’t mean that existing network security technologies are ineffective. A firewall can be used to stop Web-based attacks. Blocking via IP address, whitelisting IPs, and other firewall configuration management techniques can block many application layer 7 attacks as well. Further, another method of stopping layer 7 attacks is to use a risk management tool to understand the path an attack would take to reach critical assets.
Myth # 3: My technology is slow, old, and obsolete (or all of the above)
How many times have we heard “My computer did not function properly, or my technology was too slow, too old, and out of date?” If there is a next gen tool in a particular category, it is obviously better and makes the previous generation obsolete. We hear about an attack being successful and immediately think we need a new tool or a new technology to stop the new attack.
Typically the technology deployed could have protected you, but it was misconfigured. Misconfigurations can entail a firewall setting allowing traffic to or from a specific IP or via a port that should have been closed. Or there could be a misconfiguration on a server, such as file permissions set incorrectly.
Misconfigurations can also take the form of an endpoint setting that resulted in a patch or remediation not being applied. And something as simple as not having automatic updates turned on could result in a new patch not being applied.
Myth # 4: It’s impossible to prevent breaches; I should just concentrate on response
There is a trend in the security industry that data breaches and security incidents are unstoppable. Instead of applying resources to breach prevention, the tendency is to put resources into incident discovery and breach response. The implications of redirecting significant resources away from prevention toward response is that more breaches will occur requiring more time and effort on detection and response.
Risk management dictates that we manage acceptable levels of risk. While this should not mean dedicating more resources into prevention than the risk is worth, it does not mean full-scale surrender. There is obviously a balance that needs to be struck. If you take basic steps to harden your systems you can greatly reduce your risk of a breach. Again, according to the latest Verizon DBIR, 75 percent of attacks were opportunistic, meaning they were carried out because they were easy and available.
Myth #5: If I keep my systems patched, I can prevent all breaches
Staying on top of all of the software patches released can be daunting. In most organizations, there is a quality assurance process where the patch is tested before implementation. But by the time a new patch is tested and made ready to implement systemwide, there is already another new patch available.
Scanning for vulnerabilities is not as easy as it used to be either. With so many mobile and remote devices, they are not always on the network when you run your vulnerability scan.
Remember, even if you stay on top of your vulnerability management and patching, the weakest link in your defense still sits behind the keyboard. Being socially engineered to give up your password or installing malware could make your hard work for naught.
As mentioned, data breaches are by and large acts of opportunity. Understanding how they occur, and separating the truth from the myths can make your chances of being the next victim of a data breach much less likely. Insight into the state of your network, implementing basic controls and management can decrease the likelihood that your network will be breached. And utilizing security management to manage firewall rules and network security policies along with a risk management solution are some of the best precautions you can take to thwart would-be intruders.
Jody Brazil is the president and CTO of FireMon.