Dan Raywood has a piece in SC Magazine about how long it takes to detect breaches:
Companies are still failing to detect data breaches and hacking incidents, with outsiders getting access and sitting on the corporate network for up to two years in some cases.
According to the Trustwave 2013 global security report, organisations fail to detect attacks and breaches and EMEA Trustwave Spiderlabs director John Yeo said that this ‘exacerbates the data breach’. He said: “This is the point where an intrusion leads to a data breach, our investigation found that sometimes, attackers spent two years living in the environment and exposing data records.”
Read more on SC Magazine.
I wonder how/whether the Trustwave and Verizon DBIR findings might be used in the lawsuit naming Trustwave for their role in the South Carolina Department of Revenue breach. The court is currently considering dismissing them as a defendant. Their findings might also be relevant should they be sued for their role in the more recent Jetro/Restaurant Depot breach.
As always, I guess we’ll have to wait to see.
This is another great FAIL when it comes to security. Someone in the realm of business deems that security doesn’t matter – and that the god almighty dollar (of any type) does. In the LONG run, its the company’s fault. BUT if there is a senor security individual that is still there that had a place in making the security decisions then they ought to be brought forward and asked why they failed.
You see, making the Security folks name shine in the limelight may make the ones who only are there for the money cringe. They know who they are. They point fingers at the company and say the company isn’t taking security seriously. Its hogwash. You need 1) people skills, 2) technical skills, 3) Leadership & Management skills and 4) Common sense DO apply.
There is a serious lack of Professional Security folks out there. One is because the company would rather pay for a lesser qualified individual and cross their fingers and HOPE they don’t get breached. The ole saying does apply – you get what you pay for.
Sure you can bring in a person who is a hard worker and they may fit the security hat, but that usually means that hat will spawn other hats and before you know it, the person is over worked, under paid and may eventually leave – or worse – blend in with the rest of the crew.
Breaches CAN be halted before they even have a chance to occur. It doesn’t take much. It REQUIRES the person in charge of security to do their JOB. Semi-annual and new hire social engineerig awareness training, Password enforcement policies, all workstations and servers patched at LEAST on a monthly basis and some sort of IDS / IPS (Intrusion Detection / Prevention System). There are a ton of FREE security platforms that work well, AND offer some sort of alert should some one be mucking around in a place they should not be.
Limiting Admin access on the network means less of a chance that if some one’s account gets hijacked or compromised that it will lead to a breach.
It also doesn’t take much thinking to create a network based on rings of trust. Seperate your critical machines from your everyday ones. Place them on seperate networks, and require seperate usernames and passwords to log on to critical devices.
Tasks like this aren’t hard. Its requires motivation, enthusiasm and pride. Its crazy to think how much potential costs it would take in fines, lawyers, credit monitoring, consulting fees and everything else that comes with a breach. All it takes is squashing that risk and ante up for a security professional that does his job. There are many out there that have certifications and its about time the businesses realize that they too could be next in line for a breach
Who ever is willing to accept this sort of immature and irresponsible way of doing business should NOT be in the business in the first place.