Sunday, September 29, 2013

The Myth and Reality of Data Breach


Shahriar Chowdhury, CISSP, CISA, CISM, CRISC, CIPP/IT, CEH, CHFI is the lead consultant at Infosec Professionals, LLC.  He attended New York University-Polytechnic Institute and is currently pursuing MS-Information Security Assurance at Western Governors University. He worked in Information Security consulting roles for over 12 years. Opinions expressed in this column are his own. He can be reached at shahriar@infosecpros.com

THE MYTH AND REALITY OF DATA BREACH

The recent news of data breach at data broker services such as Lexis Nexis, Kroll and D&B is yet another reminder for security professionals that the adversaries are getting stronger than ever before.   As Mathew Nicho and Hussein Fakhry point out in his article “Using COBIT 5 for data breach prevention” in Volume 5 of ISACA Journal, COBIT 5 enablers and management practices can be used effectively to prevent these types of data breaches, yet, many organizations do not plan or implement preventive technologies.  After a high-profile security breach is reported in the media, senior management may spend some time thinking about the issue and may decide to hire a security officer to combat the problem, however, on many occasion security budget and resources are the bottlenecks.   Organizational culture may be an impediment to the new Security Officer role, as there is generally a mistrust of Security Officers in some organizations.  A major shift in thinking in regards to technology investment vs manual process creation is also required, as a new security role often means more work for other IT teams, especially around tedious process of reporting improvements around vulnerability management, malware protection and log reviews.

SECURITY LEADERSHIP

A major disadvantage for a new security officer is not knowing the organization well enough, yet creating unrealistic metrics and following to the letter, being too focused on operations rather than strategy.  Other IT teams eventually realize that there is little or no value to the constant repetitive work that they are doing for ‘the new security team’, and do not feel inclined to stay friendly with Security.  I think the major problem is that many security professionals are not attacking problems strategically—they are trying to solve everything, or to maintain harmony with IT teams, are avoiding hard ones, sometimes assuming that they are impossible to achieve.  I have seen reluctance of adopting Two-factor authentication requirements citing different research reports about how complex and expensive it is to maintain, however in the last few years, there have been many inexpensive and easy-to use solutions around this space.  Organizations sometimes go overboard in selecting technologies such as SIEM, where they go with the best-of-breed technology, as reported in Gartner or other leading research reports, which may not be a good fit for mid-size organizations without dedicated teams.  The major research publishers do not always provide independent reviews of smaller companies, or provide total cost of ownership information in a clear manner—thus leaving the mid-size organization out of the picture for new technology investment. Sometimes when security budget increase due to reaction from a data breach, managers select what they had previously wanted in their budget, without focusing on the current change of threat landscape.

WHAT WORKS IN PREVENTING DATA BREACH

Many of these data breaches are indeed preventable, as many are introduced to an internal employee through phishing emails. Sometimes, due to lack of understanding of how filtering tools and signature databases work, IT thinks spam and URL filtering are effective controls for phishing attacks. CISOs rely on network or other IT groups to maintain the Internet infrastructure, and do not monitor when quality of URL filtering databases decline--misconfiguration is also a major issue.  To have a really effective control around this issue,   it’s time to think split networks and devices (or virtualization) for Internet and Internal connections. Too reliant on what worked and did not work in the past, and not forward thinking. 

SKILLS GAP MYTH

When it comes to the current situation of having effective security program, it is less of a technical skill gap issue, but more of a management issue.   COBIT 5 suggests separation of Governance from Management, however, in many organizations, even Audit is not fully independent, and they avoid touching important but sensitive subjects that could be very effective in minimizing data breaches.  Systems and databases that contain financial or Personally Identifiable Information (PII) of employees and customers should generally be segregated from the internal network, and only authorized users should be allowed.  However, many internal and external auditors keep a blind eye on the problem, and suggest ineffective work-around such as monitoring access logs, which do not get performed on regular basis due to human errors, other workload, etc.   Many organizations have tried to address these issues by creating security policies, however many of those are not enforceable.  In some cases, there is a whistleblower framework in place theoretically, but if an employee comes forward to management with an issue, they are treated as if they betrayed trust, instead of listening and trying to understand the problem, and then taking reasonable steps to fix the issue. 

HIRING THE RIGHT TALENT

The growth in security job openings in recent year is enviable, however hiring managers hold out positions for months for talents that fit their budget, rather than paying market rate for the right position and right talent.   When these people become managers, they continue to make the same mistakes.  I have heard it from so many job-seekers that when they are offered a job after multiple rounds of interviews and many weeks into the process, the salary is at the same level or sometimes lower than their current position, and with less benefits.   This is not the right way to attract talent to a critical function of the business.  I think there appears to be a disconnect between management expectation and reality in the job market for security professionals.

The problem could be that some CIO/CISOs do not prioritize in terms of business and financial risks, or do not know how to quickly isolate a problem by finding the weakest link.  They may be relying on technology too much, and do not listen from business owners.  When it comes to their needs to expand the team, the same business owners think they will have more of the same, and they are not thrilled to provide that budget.

CONCLUSION

There is no one-size-fits-all security pill to prevent and defend against the security problems we are facing as security professionals.  However, it is high time to raise our concerns to senior business management that IT Security is serious business, and best practices around resource requirement for optimal IT Security should be benchmarked.  Situations vary everywhere, but if a company has billions dollars of intellectual property to protect, and will not want to invest a tiny fraction of the budget to safeguard it, this should make their customers and investors raise questions.  And we know, to get the answers we want, we have to take the first step of asking the question.


ENDNOTES

Data Broker Giants Hacked by ID Theft Service.  Krebs on Security.  http://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/

Using COBIT 5 for Data Breach Prevention, Mathew Nicho, Hussein Fakhry, ISACA Journal- Volume 5, 2013

Why American Banks will Continue to be breached.  Forbes Magazine. http://www.forbes.com/sites/josephsteinberg/2012/09/27/why-american-banks-will-continue-to-be-breached/