As the weather turns colder (even here in Florida) and we head into the holiday season, it inevitable that we would reflect on the year that is winding down. It may seem early for an “end of the year” or 2014 recap post but, in IT security, the slew of bad news and high profile breaches that characterize the year really started during the last holiday shopping season with Target’s infamous breach. Heading into a new holiday shopping season and then 2015, what can we expect? There are certainly lessons we can learn from the significant breaches we saw in 2014.
CSO’s Steve Ragan, recently compiled a list of the year’s most significant’, even “nightmarish” incidents. He has included 27 high impact, high profile breaches and attacks. The list he has put together shows a variety of companies and types of incidents:
- There are 4 finance/credit card companies, 2 telecoms, 6 retailers, 3 in healthcare, and 7 other companies (including services, entertainment, software, publishing, etc.).
- Only six of the 27 were located outside the US.
- There were 5 incidents stemming from POS Malware or a bug (Heartbleed), 2 involved a third party vendor, 4 involved employees (3 insider leaks, 1 abuse of employee credentials).
- At least two of these breaches went undetected for six months to a year.
Looking forward to what promises to be another busy year for IT security incidents, the take away from this list must be vigilance.
Vigilance in Security Monitoring
Manage Patches & Updates
While the widespread issues with POS Malware and even Heartbleed found their way into systems long before they were detected and correctable, the importance of having a patch management process in place is undeniable. When news breaks of a widespread flaw in systems, you must take immediate action to detect the problem if you are affected, determine whether any breach has occurred and correct the resulting issues quickly and completely.
Monitor for Signs of Trouble
At least two of the breaches were reportedly ongoing – for up to a full year. Where there are not processes and tools in place to conduct routine scans and alert officials to any suspicious or irregular event, an attacker that gains access can take their time to siphon off critical data slowly and methodically. Such a slow leak of information can be difficult to detect but it can be devastating for your organization.
Vigilance in Security Training and Policies
Employee Training – Recognizing Phishing and Other Threats
POS Malware is designed to collect credit and debit card information. There is big money to be made selling such data on the black market. But credit card companies and banks are more vigilant than ever about spotting and stopping credit card fraud. We should take note of the extensive PII data that was stolen over the year. It is estimated that 904 million records were compromised. This includes far more than financial data.
There is a trove of the personal information of Americans that has found its way to the wrong hands as a result of these breaches. This data is expected to lead to higher and more aggressive instances of phishing and email scams. These attacks will inevitably target your company’s employees. Now is the time to be sure that they all understand what to look for and how to respond to suspicious attempts to access their information through misleading email scams.
Security Policies and Enforcement
One company hit particularly hard last year was Home Depot. The latest Point of Sale (POS) attack compromised an estimated 56 million records of Home Depot customers. You may have missed two breaches earlier in the year.
In February and May, three Home Depot employees and one person reported as a company “insider” were responsible for stealing and selling almost 50,000 records from the company’s systems. Were these breaches a pre-cursor to the ultimate hack discovered in September? Could they have brought attention to weaknesses in Home Depot’s security? Possibly. Or it could have just been a really bad year for the company.
Regardless of why they suffered not one, not two, but three significant breaches, Home Depot cannot overlook the internal problems that led to the first two. No company is immune to the potential of a breach caused by human error or human greed. You must have clear, strongly enforced policies to govern how your company’s data is access and used and by whom.
Vigilance in Incident Response Planning
Quick Incident Response
When any company discovers a breach or even sees signs that a breach may have occurred, quick action is paramount to the ultimate success in dealing with the loss of data and damage to the systems. The Target breach last year is a good example of how delayed response or failure to respond quickly to warnings can compound the problems following the initial breach.
Thorough Incident Response
Another key to successfully responding to a breach is to analyze and repair areas of weakness or potential access points and to take steps to correct any issues that may have been created by the breach or that may have gone unnoticed before.
A quick, thorough, successful incident response does not happen without extensive planning well in advance. No team can respond effectively without a detailed, trained, tested plan.
Will the holidays see more activity like last year’s Target breach? Are businesses prepared? Are employees and consumers prepared? Given the volume of attacks and breaches we have seen throughout 2014, resolve now to face 2015 with the vigilance necessary to protect your company.