Thirteen years after one of the most horrific terrorist attacks on America, I have to ask myself "do I feel any safer?" Like you, I’m sure, the answer is "no." On the other hand, the risk I feel now has less to do with a physical attack and more to do with information security cyber-attacks. Our government officials are confirming on a regular basis that hostile governments continuously "test" our information security systems for holes as our government servers are attacked daily. The majority of these cyber espionage attacks come from governments who would suffer if our economy were to be crippled—so the objectives are to steal intellectual property much like the Cold War.
Of course, we are all aware of breaches motivated by financial gain—individually threatening certainly, but not designed to destroy the system providing the hands they steal from.
The final group, "hacktivists" seek to harm organizations based on their corporate ethical behavior—either individually or as a part of a coalition. Hacktivism, for those who don’t know, is the use of computers and computer networks to promote political ends, chiefly free speech, human rights, information ethics, and disruption. It is carried out under the premise that proper use of technology can produce results similar to those of conventional acts of protest, activism, and civil disobedience. Disturbing, but not a national security threat.
In 2001, I was still trying to convince business editors that the potential for cyber-criminal attacks on banks was impending. To a publication they said, "I won’t cover what hasn’t happened. Call me when one happens and I’ll cover it."
Looking ahead, I am concerned that it is only a matter of time before organizations like ISIS achieve the capability to launch the kind of cyber-attack similar to Stuxnet that would cripple our infrastructure (utilities, energy, and banking). Will we be ready? "Google" that question and you’ll see what I suspect.
Information Security Areas of Concentration
Whether you are charged with the security of a country’s critical infrastructure or your corporation’s critical data, the vectors of attack remain the same. In fact, the recently released Verizon 2014 Data Breach Investigations Report decided not to focus on the kind of statistics they used in the past and instead direct efforts toward reducing the majority of attacks by focusing on a handful of attack patterns. They identified the following nine areas of information security concentration:
- Insider and Privilege Misuse
- DoS Attacks
- POS intrusions
- Web App Attacks
- Physical Theft/Loss
- Card Skimmers
- Miscellaneous errors
The report is a great read. If you don’t think you’ve already been attacked, hacked or breached…you’re wrong. A senior Cisco security executive summed it up by telling me, "I know that 15% of my network has been breached at any given time…I just don’t know which 15%". And everyone is starting to realize this.
Information Security Best Practices
Best of all, the report suggests fixes and areas to watch for each of the nine areas of information security. I’ll give you a taste by providing the some of the details around Insider and Privilege Misuse. This is mainly insider misuse, but outsiders (due to collusion) and partners (because they are granted privileges) are included as well.
Before I begin, some interesting statistics about this pattern from a white paper written this year by Raytheon:
- $348 billion a year in corporate losses can be tied directly to privileged user fraud
- 64% of privileged users believe they’re empowered to access all information they can view
- 42% of IT practitioners believe information security threats will continue to grow
- The first step to protect your data is to know where it is, and who can access it.
From this, deploy identity manager controls to protect it and detect misuse. It won’t prevent determined insiders, because they have access to it already, but there are numerous other benefits that warrant doing it.
- Review user accounts
Having identified the positions and roles with access to sensitive data, implement a governance process to review account activity when those employees give notice or are released. Disable user accounts as soon as an employee leaves the company and, when warranted, before that. A best practice, the automated de-provisioning of user access privileges, successfully prevents data from leaving an organization and quickly contains incidence when uncovered.
- Watch for data exfiltration
In the top misuse varieties, we see actions that facilitate data transfer out of an organization— present excellent places to set up security controls to detect and stop this type of activity. Many data loss prevention products cover the most common actions taken to steal sensitive information, and these are certainly worth exploring.
- Publish audit results
From an awareness perspective, regularly publish anonymized results of IT audit of access and privileges. Let employees know that they are routine operations and that policies are enforced for compliance, information security, and risk management. This can act as a powerful deterrent to insidious behavior.
One thing I read more about this year is the tighter relationship between government, law enforcement, security organizations, security companies and security executives. This distributed model of intelligence, information sharing, and proactive solutions represents the only way to combat individual threat actors—no matter how large they are. So, we’ve come a very long way in 13 years. I don’t feel any safer, because I’m much more aware of the threats. I am also hopeful, because my information security level of awareness is now shared by so many like you. If everyone does their part then my money, my intellectual property (I actually have a little) and my way of life are much less at risk. Thank you.
Get the Top 10 Identity Manager Migration Best Practices Workbook
Start your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.