The Top 5 Myths of Data Breaches
Introduction
We live in the age of the data breach. It seems from every newspaper and on every newscast we hear about yet another breach of a computer network resulting in the theft of confidential or sensitive information. Even the media outlets themselves have become the targets of these attacks and data breaches.
Both within the security industry and in society in general we are in a constant search for a solution to this problem. However, many in the security industry have become so disillusioned by failure that they have adopted the opinion that a breach is inevitable and the primary focus should be on detection and response as opposed to prevention. In truth, there is no single, simple answer and giving up is not a viable alternative.
The fact that there are no easy answers does not mean we have to accept defeat. And one of the first steps is to recognize that many promoted opinions about the cause of breaches and the failures of technology are actually myths. These myths obscure a clear path to increased security and better risk management. Debunking these myths is an important step to improve the effectiveness of our security defenses against future breach attempts. This paper will seek to expose five of the biggest myths that exist about Data Breaches, and explain how and why they occur.
Who and what is at risk?
Who is a target of all of these attacks? In a word, you. Targets can literally be anyone and everyone. Some breaches have nation-state strategic motivations. Others may be politically or financially motivated. Other targets are just low hanging fruit. As more than one attacker has mentioned when asked why they attacked a particular target - “because they could.”. These kinds of attacks are similar to a thief walking down a hallway in a hotel checking doorknobs—. Hhe is looking for the open one. The room with the open door becomes his next victim. In fact, according to the Verizon Data Breach Report (2012), 79% of breach victims were targets of opportunity. They were not targeted because of who they were or what they had, they were just easy to break into.
Depending on the specific vertical ofr your business, it is more likely than not that you have already been the victim of a data breach. The cost of these breaches arecost of these breaches is staggering as well. In many cases the cost of the breach is enough to put the victim out of business. Large public companies have taken charges of tens and hundreds of millions of dollars. But larger companies are not the only targets of these attacks. In fact, midsize and SMB businesses are often targeted because they are a “softer target.”. No organization is immune from attack.
For many organizations the question should not be what the cost of securing my network is, but rather what is the cost of not securing my network.
A first step in this direction is understanding the real risk involved. Peeling away the fiction from the facts. This paper is a first step in that process by exposing what we believe are the five biggest myths of data breaches.
Myth #1
Threat Sophistication
With today’s advanced persistent threats, zero day exploits and sophisticated targeted attacks, it has become fashionable to throw up our hands, feeling helpless against these new classes of attacks. Some security pros advocate that we will not be able to stop these kinds of attacks and we should plan for what to do when they do happen, rather than trying to stop them.
While there is no doubt that trying to stop these kinds of attacks are very difficult, the fact is that according to the Verizon Data Breach Report of 2012 a staggering 96% of all breaches were not highly difficult. For all of our talk about threat sophistication, again, according to the Verizon Data Breach Report, 97% could have been stopped with simple or intermediate controls.
The numbers are overwhelming. For every unbeknownst zero day attack there are literally 80, 85 or more attacks and breaches which utilized a known vulnerability and attack vector. The idea that we don’t have the technology or technique to stop most attacks is a myth. Again, according to the most recent Verizon Breach Report 79% of victims were targets because they were available, not because of who they were or what they had to offer the attackers.
Even with these new advanced, sophisticated attacks, it is usually a low- level vector that allows them to inject their sophisticated payloads. In most cases of APT we see some sort of spearphishing or other social networking which allows the attackers to infiltrate a network. Once they gain a toehold in an organization’s network using these types of low -level techniques, they then probe to see how and where they can gain access using some of the more advanced techniques. Again, they are looking for misconfigurations, unpatched systems, etc.
Even vaunted custom malware such as stuxnet were injected via a USB drive. Injecting malware via a USB drive is hardly sophisticated or new for that matter. It is believed that the US Department of Defense suffered a breach years ago via USB thumb drives injecting malware onto systems.
The lesson of this myth is don’t do not become an easy victim of opportunity. Most data breaches are successful not because of some new highly sophisticated form of attack. Rather, Mmost data breaches are successful because the attackers found an easy, rather simple point of entry that allowed them to then inject their attack payloads and complete their breach. And, even if they succeed with step one, often basic access controls in the network can prevent further damage and raise visibility to the existence of the breach.
Hiding behind the new sophisticated threats as an excuse not to remain vigilant and implementing best practices is a losing proposition. While there are new forms of hacking and attacks, the sophistication of attacks are not the reason for your breach in the overwhelming majority of most breaches. Most breach attempts are actually pretty easily thwarted with simple and midlevel controls in place.
Myth #2
Network controls are useless since all attacks now are layer 7 attacks
Oh, how the web app security vendors would love us to believe this one. But alas, this is another myth around data breaches. While many attack attempts come in via port 80 that does not mean that existing technologies in network security could not be used to block them.
A firewall, for example, can be used to stop attacks even with port 80 or other common ports left open. Blocking via IP, whitelisting IPs, and other firewall configuration management can block many application layer 7 attacks despite popular myths to the contrary.
Another method of stopping layer 7 attacks is to understand the path an attack would take in order to successfully reach critical assets. A tool such as FireMmon Risk Analyzer can help you visualize what these potential paths of attack are and what controls you can put in place that would block these attacks.
The important thing to remember about layer 7 attacks is that though they attack at the application layer, the traffic they still traverses your network need to rework this sentence, not sure what we are trying to say. Therefore, using network- based controls and defenses can still affect them.
Yes, application specific defenses like NGFW, WAF and other layer 7 defenses are effective against these attacks (assuming they are properly configured), but if you don’t have the budget to afford these luxuries there is no need to throw in the towel—, there is still much you can do. Tightening your network controls and doing all you can to avoid misconfigurations is a viable and surprisingly effective strategy.
Myth #3
My technology is slow, old, and obsolete (or all of the above)
This may be the single biggest myth in IT, let alone security and risk. How many times have we heard that “mMy computer did not function properly”? Other flavors of this myth are that “mMy technology was too slow, too old, and out of date.”
In security specifically, we live in a world of next gen. If there is a next gen tool in a particular category, it is obviously better and makes obsolete the previous generation. Or, so the myth goes. We hear about an attack being successful and immediately think we need a new tool or, a new technology to stop the new attack.
We don’t think too much about why our present technology did not prevent or stop this new attack. Was it really a case of the technology being incapable of thwarting the attack? More often than not an examination of the facts will show that the technology that was deployed could have successfully protected you but it was misconfigured. Misconfigurations are much more likely to be the reason for a data breach than obsolete technology.
Misconfigurations could entail a firewall setting allowing traffic to or from a specific IP or via a port that should have been closed. Misconfigured network settings are a major source of data breach. Who has permission to access what files and assets on the network? There could also be a misconfiguration on a server, such as a file permissions are set incorrectly.
Misconfiguration can also take the form of a setting on an endpoint that resulted in a patch or remediation not being applied. For instance, something as simple as not having automatic updates turned on, resulting in a new patch not being applied.
Again, the Verizon Data Breach Report and other data breach studies show that sensible low and midlevel controls and proper configuration of existing security technology are adequate to stop the overwhelming majority of attacks.
This “human error” is responsible for many times more data breaches then older technology ever is. That is not to say that technology doesn’t become obsolete. Of course it does and that is sometimes the case. Trying to maintain Windows XP systems after Microsoft has discontinued support could leave you vulnerable to attack for instance. But that situation is far rarer than a simple misconfiguration.
Before blaming the technology, take a good look in the mirror and make sure that your perimeter devices, network, servers and endpoints are all configured correctly.
Myth #4
It’s impossible to prevent breaches,breaches; I should just concentrate on response
There is a very prevalent trend in the security industry that says data breaches and security incidents are unstoppable. Instead of putting so many resources into preventing data breach, the story says to instead put the resources instead into incident discovery and breach response.
As the American General in the Battle of the Bulge replied when asked to surrender replied, “Nuts!”! Giving up and not trying to stop data breaches is not and never will be a successful strategy. One hundred percent prevention of data breaches may not be possible, but it doesn’t mean it is not a worthy goal or that you should not try to stop data breach. The implications of redirecting significant resources away from prevention towards response is that more breaches will occur requiring even more time and effort on detection and response.
Risk management dictates that we manage to acceptable levels of risk. While this may mean recognizing that dedicating more resources into prevention thaen the risk is worth, it does not mean full scale surrender.
There is obviously a balance that needs to be struck. We do need to discover security breaches as fast as possible. We do need a well- thought plan to respond to data breaches. However, let’s be very clear that the balance must tip in favor of stopping data breaches were possible and reasonable??.
If you just take some basic steps to harden your systems you can greatly reduce your risk of breach. According to the latest Verizon Data Breach Report, 75% of attacks are opportunistic meaning they were carried out because they were easy and available, not because of some strategic initiative. On top of this this, 78% were started with relatively simple attacks rated as low difficulty.
This means that taking reasonable measures to avoid becoming an opportunistic attack and thwarting low difficulty attacks could decrease your likelihood of being a data breach victim by over 75%. With those kinds of odds, it seems ludicrous to throw up your hands in defeat.
Myth #5
If I just keep my systems patched, I can prevent all breaches.
Oh, if only this were true, what a simpler world this would be. The “I can patch everything, can’t I?” approach fails on several fronts. First of all, just staying on top of all of the patches that are released for the software you run in your organization can be a daunting task.
In most organizations, you don’t just apply a patch when it comes out. There is a QA process where the patch is tested to make sure it does not break something else. Many times bBy the time a new patch is tested and made ready to implement system wide, there is already a new patch that must be now tested and rolled out as well. While this may be a great form of job security, it is also literally living on the hamster wheel. No matter how fast you can run, it seems that the sheer amount of patches will just keep you spinning your wheels.
Of course the other side of this dilemma is that these patches are all driven by the finding of vulnerabilities. So while a good chunk of your resources is tasked with testing and rolling out patches, another part of the team is out scanning and testing for vulnerabilities.
Scanning for vulnerabilities is not as easy as it used to be either. With so many mobile and remote devices, they are not always on the network when you run your vulnerability scan. Tracking, scanning and testing for vulnerabilities can be a bigger job than patching. Between the two you can rest assured that a substantial amount of your allocated budget and resources will be sunk.