Lessons learned from 2014 – The year of the breach

Michael Aminzade, VP Global Compliance & Risk Services at Trustwave reflects on another year of breaches and discusses what organisations can do to help protect themselves from being attacked.

  • Monday, 19th January 2015 Posted 9 years ago in by Phil Alsop

Twenty-fourteen is being called “the year of the breach”, due to a number of businesses falling victim to attacks.

During the past year, we have seen a trend in the UK that is frustrating many security experts - web attacks where the infiltration method and the exfiltration method are one and the same. Attackers are siphoning data over days, months and in many cases years. All of which adds to the fear of social engineering being a prime method of introducing malware into an organisation and presenting the challenge of how organisations should best deal with targeted attacks. The increase in data breaches over the past year raises the question of whether hackers are becoming increasingly sophisticated in their attacks, or in fact whether businesses are dropping the ball due to the complex nature of managing their networks, applications, databases and technologies while lacking resources when it comes to security.

Following the data breaches that happened in 2014, there are some mistakes that can be learnt from as we go into a new year:
1. Misconfiguration issues: These include weak passwords, using the same password for multiple logins, failing to configure a firewall properly so that it’s blocking outbound traffic, running remote access software even if it’s not needed, failing to run up-to-date anti-virus software and enabling any user to access specific systems even if they do not need access. These areas are easily fixable but businesses continue to overlook them, which makes them an easy target for attackers.
2. Lack of resources: On many occasions we have seen in-house IT teams purchase a security technology only to realise when it arrives that they don’t have the time or manpower to make sure the technology is installed, updated, monitored and continuously working properly. The product then begins to collect dust as it sits on the shelf while the business’s data remains unprotected, or even worse, a false sense of security is created around misconfigured or misunderstood technologies.
3. Security weaknesses across third party providers: When organisations outsource their IT functions to third party providers, in many cases, the providers use remote access software to help fix technological problems within their infrastructure. Unfortunately, many businesses may be unaware that their third party provider isn’t adhering to security best practices such as using strong passwords and two factor authentication.
4. Poor application security: The frequency of web attacks isn’t hitting home for many organisations. According to the Trustwave Global Security Report, it was found that 96% of applications scanned contained one or more serious security vulnerability, with 4 out of 5 businesses admitting that they had rolled out projects that contained known security issues. Organisations must run regular testing and for security to be included in the development cycle, as it is a clear contributor to a large proportion of the compromises found.
5. Lack of segmentation: Too often businesses mix all of their networks together so that all their data, sensitive and non-sensitive, flows through the same networks. This setup enables criminals to access sensitive data more easily since they only need to break into one network to get it. Businesses should segment their networks, so that those carrying sensitive information are separated from those with non-critical information.
6. Non-existent or unpractised incident response readiness plans: When an attack happens, many businesses don’t know who to call, what to do next, how to contain it and critical steps to help minimise the damage and get back to business as usual. Implementing and testing an incident response readiness plan can help businesses identify and remediate security weaknesses, detect compromises faster and minimise the damage from a breach. Findings from the 2014 Trustwave Global Security Report showed that on average it took organisations that self-detected a breach to contain the breach one day, whereas it took organisations 14 days to contain a breach when it was detected by a third party such as law enforcement or a regulatory body.

As businesses head into 2015 and beyond, they must make sure they don’t get sloppy with their security. Businesses and third party providers must use methods such as complex passwords, two factor authentication and follow security best practices, such as:
• Perform a risk assessment to identify where their valuable data lives and moves
• Perform vulnerability scanning on a regular basis (at least quarterly) across all assets followed by penetration testing for their most critical assets to identify and remediate security weaknesses.
• Deploy technologies to protect all attack vectors and augment their in-house staff by partnering with a third party team of experts to help ensure they have enough manpower and skillsets to make sure those technologies are installed, fine-tuned and continously working properly.
• Create and practice an incident response plan so if there is a breach, the business knows what steps to take to contain it and minimize the damage.