Security MEA speaks to James Lyne, Instructor and Head of R&D at SANS about the high-profile security attacks that have happened globally in the past
Why does it take such a long time (4 years in the case of the Yahoo breach) to identify such a massive data breach?
For those affected by a data breach, it can seem inconceivable that companies do not notify their users within days or at least weeks of the breach happening. However, there are reasons why it can take what seems like an unreasonable length of time to disclose a breach.
Usually it’s because there has been a long delay in even discovering that a breach may have occurred. It can then take considerable time to investigate what happened because a) the technology and processes in place do not make it easy to gather and correlate data, and b) security is still rarely considered a top priority by senior management teams.
It is not until a company has a big breach that it realises its technology and processes are inadequate, or the Board suddenly becomes very involved in IT security issues. In addition, the requirements for notifying users of a breach vary from state to state in the US and differ again from Europe and other parts of the world.
In Yahoo’s case, it said that law enforcement provided the company with information only a month before the extent of the breach was announced which they then analysed before determining it was in fact Yahoo user data.
What do companies and security services companies need to do to make sure such data breaches are identified as soon as they happen?
In spite of increasingly sophisticated tools, every IT security officer knows that it’s probably only a matter of time before their company experiences a data breach, whether it be large or small. And if there is a breach it can often go undetected for a long time.
Nothing can fully prepare you for a breach but there are steps that companies can put in place to make sure they are ready for a breach.
This includes providing training for both those who will have to deal with the after-effects of a breach and for users to decrease the risk of one in the first place. In addition, new technologies using machine learning and AI are enabling organizations to cut down the time it takes to detect and analyse attacks, and technologies like predictive analytics could help companies to predict their next attack before it’s too late.
Why isn’t encryption still a norm in the industry? Why is sensitive data still being handled as plain text?
Encryption, properly deployed alongside a full suite of IT security technologies, should provide a last barrier to protect data but it is still low down on the list of many organisations when it comes to cyber security.
The growing barrage of news of hacks and breaches is slowly changing this but even when encryption is in place companies may have chosen the wrong solution for their needs or incorrectly implemented it. Therefore, even if data is encrypted it doesn’t always mean data is safe.
When hackers break into data stores and steal huge amounts of IDs and passwords, companies often trumpet the fact that the data was “encrypted” – but there are different levels of encryption, and once leaked, cybercriminals will use specialized software to extract data if it is not sufficiently protected. It’s important companies take advice on the correction solution for them.
As was the case with Yahoo, criminals often have months or even years to run specialized software and decrypt the encrypted data. If they are determined, and lucky, they’ll break in, no matter how strong user passwords might be. That means it’s doubly important for users to change passwords if they are reused elsewhere.
What do companies need to do to keep such data breaches at bay?
There are two aspects to this- prevention, and detection and remediation. Firstly, organizations should build a comprehensive defensive strategy through the use of solutions like next-generation firewalls, advanced threat protection and data leakage prevention (DLP technologies).
They must also address the ‘human factor’ and ensure that employees are made aware of corporate cyber security policies. This can be achieved by implementing employee awareness and training programs.
Organizations must then have a clear plan for how they would react if they suffer a data breach. Unfortunately, even the best cyber security investments cannot guarantee 100% protection so companies must be able to rapidly detect and address breaches. This means implementing powerful monitoring solutions as well as digital forensics.