IT Security: It's All About Damage Control

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.baselinemag.com/security/it-security-its-all-about-damage-control.html/

The October edition of the *Harper's Magazine* Index included this doozy of
a statistic: The average global company in 2013 was subjected to 16,856
cyber-attacks.

Granted, many of those attacks were minor nuisances, but the sheer volume
speaks to just how important information security has become to
business—and what a struggle it is to stay on top of attacks, malware and
security tools.

"It really is a cat-and-mouse game," says Jaime Parent, associate CIO and
vice president of IT operations at Chicago's Rush University Medical Center
<http://www.rush.edu/>. "The anti-viral vendors don't like this, but I
think that in the fourth quarter of 2014, the bad guys are winning. I'm
very confident the good guys will come back, but the bad guys have the
upper hand right now."

While the overwhelming majority of security incidents are the work of
so-called "script kiddies"— people lacking the skills to do anything more
than clog networks or deface Websites—every threat has to be taken
seriously in order to spot the more severe threats. The unfortunate truth
is that advances in technology have created a veritable business model for
those who successfully engineer sophisticated attacks and make off with
high-value information.

"Data is valuable, and it's becoming easier to find ready buyers," says
Eric Hanselman, chief analyst at 451 Research
<https://451research.com/biography?eid=500>. "There are dark communities
that trade in information just as readily as they trade in any other
ill-gotten gain."

Worse, that black market is only getting bigger. In a recent security
report, "The Invisible Becomes Visible,
<http://www.trendmicro.com/vinfo/us/security/predictions/>" Trend Micro
predicts that during 2015, "More cyber-criminals will turn to darknets and
exclusive-access forums to share and sell crimeware."

One silver lining: Because so much stolen data is flooding into those
underground markets, prices are driven downward, and the bad guys have to
steal more to make ends meet. In fact, the black market price of a U.S.
credit card credential dropped from $3 in 2011 to $1 in 2013, while stolen
Facebook credentials that cost $200 in 2011 could be bought for $100 two
years later, according to the Trend Micro report.

Meanwhile, emerging cloud-based IT models are steadily removing what used
to be the main function of IT security teams: securing a company's
technological borders. Instead, that's being left to cloud providers, while
IT security increasingly revolves around identity and access management,
monitoring and damage control.

In other words, security is no longer about keeping the bad guys out.
Rather, it's about limiting what they can do once they get in.

"You get to forget about the perimeter," says 451 Research's Hanselman.
"Your daily life in security is about understanding your posture rather
than defending at all costs."
*Benefiting From Vigilance and Luck*

That's certainly been the case for Parent at Rush University Medical
Center. The 664-bed hospital—which, as a medical education facility,
supports a population of 10,000 care providers, students, faculty,
researchers, support staff—hasn't been victimized by a major breach, a fact
Parent attributes to a combination of vigilance and luck.

Still, the organization has to contend with its share of successful
phishing attacks and insider threats. Parent and his team have to
investigate every incident and shore up every perceived security hole to
make sure that spotless breach record remains intact. It's a
resource-draining job, to be sure.

"The thing that hurts us the most is the time in remediation," says Parent.
"If an infection has gotten some traction, it's difficult to touch all the
devices, re-educate the users and clean out the network."

Parent believes the hospital's biggest threat is its own employees, who
expose the IT environment by storing passwords on Post-It notes and
clicking on phishing emails.

Hence, the centerpiece of Rush University Medical Center's security
strategy has been a user education and training component dubbed "I Care, I
Protect." The idea is to make sure users are prepared to deal with various
situations, so they can help prevent identity thieves, dumpster divers and
other cyber-criminals from getting the information they crave.

"Technology without the human component only takes you so far," Parent
points out.

*Trying to keep the bad guys out of our corporate network isn't even the
primary goal any more. Instead, it's preventing them from getting what they
really want.*

That's not to say technology isn't a big part of Rush University Medical
Center's security strategy. For instance, the organization looked to
strengthen its network defenses by deploying more sophisticated monitoring
tools that alert Parent and his team to early signs of an incident. The
idea, he says, is to be more proactive and less reactive, and to isolate
infections before they have a chance to spread.

"The bad guys are going to get in," says Parent. "Instead of concentrating
on the front door, you concentrate on the rooms and valuables within the
house."
*Deflecting Incoming Attacks*

Stephen Molina, information security administrator for Modesto,
Calif.-based Save Mart Supermarkets <http://www.savemart.com/>, is
similarly resigned to his fate. Save Mart's firewall manages to deflect
about 90 percent of incoming attacks, most of which are the work of script
kiddies.

What saps the biggest share of Molina's and his team's time is the constant
barrage of phishing emails, often customized to look like they come from
Save Mart vendors. Molina says employees at all levels of the company click
on those emails, releasing malware into their devices, and then often into
the network.

Similar to Parent, Molina's response typically involves deducing the
breadth of the infection, and then isolating it.

"You *will* get infected," he says. "You are going to get compromised. It's
a mistake to think about how you can prevent it from happening. It's really
about minimizing the damage."

Like Rush University Medical Center, Save Mart, which operates 226 grocery
stores in California and Northern Nevada, hasn't had any big breaches.
Molina chalks that up to a combination of luck and the segmentation of
systems that touch Save Mart's most valuable data. If an intruder gets at
the company's customer credit card data, for example, he says it "could
bring down the whole company."

Molina reports that Save Mart has been relying increasingly on monitoring
tools that allow it to respond to a threat proactively, before it finds
itself explaining what went wrong to throngs of media.

If it sounds like IT security has evolved from brute force protection into
a more subtle art, that's because it has: The threats are no longer
automated bots, and intrusions are much more fast-changing and adaptable
than they once were.

"We're up against other people, and they're not static," says Molina. "It's
an adversarial environment."

For organizations like Save Mart and Rush University Medical Center, the
answer has been to keep the bad guys in their sights at all times. But, as
both Molina and Parent acknowledged, a dash of luck doesn't hurt.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!