Following in the wake of the recently publicized attacks on government databases and systems, all CIOs and chief security officers should assume their own organizations could be next and must proactively revisit their technologies and processes to ensure they are capable of preventing a breach.
“Conventional thinking in IT has been to prevent being hacked altogether, and that has proven impossible to achieve. CIO and CSOs should assume they will be hacked, and turn their attention to technologies that detect breaches early and block the exfiltration of data,” Nat Kausik, CEO of Bitglass, told Enterprise Technology. “In short, focus on risk management.”
Security and technology professionals also must manage expectations: A breach is always possible, especially if hackers have their sights set specifically on your organization, security experts warn. But by taking multiple steps to protect the most valuable intellectual property and sensitive data, organizations can reduce damage.
“It’s time to double down and give the job of securing valuable data the resources it needs,” said Jean Taggart, senior security researcher at Malwarebytes Labs, research arm of the anti-malware developer, in an interview.
Those resources must include automation. Relying on humans – who can too easily forget, change jobs, or make errors – can result in the type of situation that just occurred at the Internal Revenue Service, where most security recommendations were not implemented, said Kausik.
“At the end of the day, insiders must have access to and handle sensitive information. And insiders are human; relying on best practices is relying on humans not to make mistakes,” he said. “Technology is a better answer – to automate things that humans must do. Organizations must assume that humans will make mistakes and design security technologies that limit the damage from those mistakes.”
Well-trained security analysts must monitor these tools, said Taggart.
“Breaking up the records in smaller parts, that are encrypted with salted hashes, and having access to [that] data vigilantly monitored is the bare minimum required to mitigate these types of data breaches,” he said. “Anomalous traffic monitoring, data exfiltration monitoring, intrusion detection systems all should be deployed, but more importantly, properly trained security staff should be looking at the logs these solutions generate.”
Ongoing user education is vital to protect organizations from both new and old hacker tactics. After all, social engineering often provides an entry point to malware.
“Educating the user is critically important. Awareness courses, simulated phishing campaigns, and sanctioned penetration tests will help identify where defenses should be shored up,” said Taggart. “The trick to educating your users against social engineering techniques is to make sure that they don’t feel victimized if they fall prey to these techniques as part of a sanctioned assessment. A user who has fallen for a phishing email, and has had an awareness course as a result is much more likely to spot a real phish attempt, when it presents itself in his or her inbox.”
Source: Enterprise Tech