In “2015: A Cloud Security Wake Up Call,” I examined a list of recent, major IT security breaches. Millions of accounts were compromised, affecting dozens of large organizations, including the U.S. federal government. We know that security threats are ever-present and possibly accelerating. The next step is to ask what can be done, and how a new breed of security tools can help.
There are some key takeaways from security breaches, which can lead us to potential security fixes for your business or organization. There is no doubt that in many security breaches, basic security policies and technologies could have stopped the attacks. In many cases, human error or basic security lapses have been identified as problems. There are even tools present to help defend against more sophisticated attacks such as large-scale distributed denial of service (DDoS).
Last year, Verizon released its “2015 Data Breach Investigations Report,” which studied 2,122 data breaches with information coming from 70 organizations. The study found that 96 percent of all attacks fell into nine basic patterns and that the top four patterns involved human error.
These patterns included point-of-sale-intrusion, crimeware, cyber-espionage, insider misuse, Web app attacks, errors, physical theft and loss, DDoS attacks, and payment card skimmers. Verizon’s study estimates that data breaches from 700 million records equates to $400 million in economic damage.
One of the conclusions of the report is that many security breaches are linked to human error or a simple lack of caution over basic security techniques – and that some basic quick fixes can dramatically improve the security of a corporate network.
The Verizon study identified the top “critical security controls” that could be introduced to improve security. Verizon categorized some techniques as “quick wins,” including Web services patches, user lockout after multiple login attempts, mail attachment filtering, limiting ports and services, restricting the ability to download software, and anti-virus software.
In the major security breaches we looked at last year, nearly all of them included hacker techniques that point to a solvable weakness in a security policy. Let’s look at some of the more common ones:
- Encryption: Increasingly, companies are looking to expand the encryption of data, not just across the network but in storage and even on employee laptops that could be stolen or lost. In some industries, such as healthcare, such practices are becoming mandatory.
- Passwords: Many hacks involve password weakness, another problem that can be solved with internal policies and awareness campaigns. Security consultants often find basic failures in password security policy, such as users who share passwords, fail to log off work stations, or use very simple or obvious passwords.
- Anti-virus and attachment controls: A large number of security breaches occur through phishing attacks or malware, both of which use email systems to exploit systems. There is a wide range of technology available to scan and control email attachments and software downloads.
- Two-factor identification: Recently, well known security blogger Brian Krebs published a story about how his PayPal account was hacked on Christmas Eve. He detailed how long it took to track and stop the cause of the attack and how a lack of modern authentication techniques could have been used to protect the account.
These are some of the common weaknesses found in many of the security breaches you read about in the headlines. Some of them share several of the same weaknesses. One of last year’s most visible attacks, millions of customer accounts compromised at healthcare provider Anthem Inc., is still being investigated. Anthem spends $50 million a year on security technology and says it did nothing wrong, according to published reports. But some security experts have pointed out that two-factor authentication was not used on all of Anthem’s systems; it did not employ a monitoring system that could detect an unusual outflow of data; and it did not use adequate encryption, according to a story in the Indianapolis Business Journal. Anthem officials told the San Jose Mercury News that more encryption could not have prevented the breach because an administrator’s account was hacked.
In the aftermath of a well publicized attack, companies scramble to point their finger at the bad guys and defend their systems, but the fact is that most organizations have security weaknesses that could be plugged. The evidence, including Verizon’s report and the experience of many security experts, shows that many security breaches could be stopped with effective security policy and technology. Organizations should examine their policies and strategies and evaluate whether they’re missing any of the basic weaknesses that could provide the hole for the next security attack.