6 breaches: Lessons, reminders, and potential ways to prevent them

Though all vastly different in scale and impact, the breaches at the Office of Personnel Management (OPM), Sally Beauty Supply, Starbucks, Anthem, Adult Friend Finder, and Penn State teach valuable lessons and reminders about security vulnerabilities and the need to do more to protect against attackers.

When data has been stolen, the breached organizations are in the spotlight. As they try to do damage control, those who have yet to fall victim to invasion wonder how they can avoid future public scrutiny.

"A lot of these breaches don't teach us, they remind us of things. There are few novel things in breaches. Most breaches are same old, same old:  security is poor," said Jonathan Sander strategy and research officer at STEALTHBits Technologies.

Sander also noted, "From a PR perspective, security is a losing game. No one will ever congratulate you for prevention, but everyone will flog you for failure." In order to barricade themselves during flogging, organizations queue the protocols, drop the blinds, and close the gates once they've been breached.

I reached out to several companies who have recently been breached, and repeatedly I received a kind note explaining that no one was available to speak to me.  It felt like one of those dark family secrets that everybody knows about but no one will actually discuss.

Corporations are no different from families when it comes to protecting their reputations. To their credit, several of those recently breached are taking all the right steps. Penn State, Sally Beauty Holdings, Adult Friend Finder, and Anthem have all posted press releases outlining their responses to the attacks, which include bringing in third party forensics and legal counsel.

If the scope and depth of the OPM breach confirms anything about information security, "It reminds us that any time documents flow back and forth, you have a very heightened risk that demands special attention," Sander said.

Starbucks serves as an imperative reminder that end users don't protect their passwords.  "In the case of Starbucks, the hackers got known password and email combinations," said Sander. If people are using the same password on a silly chat site as they use for their bank, they are making their accounts vulnerable.

"Users treat security of their own data haphazardly. Users need to take responsibility," Sander said.

Human error on the user end is not the only gateway for criminals to hack into a network, so companies need to focus on risk assessment to effectively plan for prevention, detection, and response.  "There is no way to understand all the ways something can be breached," Sander said, "because the ways to be exploited are far greater."

Jeremiah Grossman, founder at WhiteHat Security, said about these six breaches, "Not all the details are available yet, but one thing we've learned is that they were defendable." Organizations need to see these attacks not as a swipe of the brow and "glad it's not me" moment, but a serious reminder that the criminals are sophisticated.

A lesson of great value is for companies to understand the value of risk analysis. In order to build the best defense, organizations need to know where their vulnerabilities are. Investing in tools and programs can be a fool's errand if security administrators are only running through a compliance and regulation checklist without a strategy.

"OPM got hacked on a system they didn't know existed. Risk management usually comes after the hack," Grossman said, "so first understand what you are defending, what the threats are, then look at products."

Knowing what they are protecting against is crucial for companies to position themselves for stronger defense, agreed Lamar Bailey, director of security research at Tripwire. "You need to go above and beyond the lowest common denominator to secure your network," said Bailey.

"Product and solutions are great, but don't over invest in security. First, you have to know how you are integrating them into a security program," said Bailey.

These breaches and others also highlight the malicious intent of criminals. While Starbucks and Sally Beauty Supply seem to be the victims of criminals looking for financial gains, OPM, Anthem, and Penn State prove that some criminals have far more malicious motives.

"OPM was targeted for the rich, single, source of federal employee identities. If you target individual federal entities, then you get that entity's information, but if you target OPM, you get the information for all the federal entities," said James Carder, CISO at LogRhythm.

Carder pointed out the weaknesses that are the root cause of information technology, which include weak access controls and the need for identity management. "The protection of applications and data using stringent authorization and access controls (identity management) should be a focal point across all federal agencies."

"Identity management is something that the government and most companies do a very poor job at but it is the single element that defeats most security controls today and also the single element that is consistent across anything and everything related to security," said Carder.

But what if everyone were an outsider?

Carder said the most important lesson learned from these breaches is the need to eliminate the element of human error. "There is a crowded cloud environment. Move applications into a locked down infrastructure instead of trying to protect everything. Get rid of the human element," said Carder who argued that it is possible for organizations to prevent hacks by doing what Google has done with Google Beyond Care.

In their whitepaper, Rory Ward, site reliability engineering manager, and Besty Beyer, technical writer specializing in virtualization software for Google SRE, wrote "The perimeter is no longer just the physical location of the enterprise, and what lies inside the perimeter is no longer a blessed and safe place to host personal computing devices and enterprise applications."

In theory, this rip and rebuild approach to protecting data by completely redesigning the infrastructure to eradicate human error is an idealistic goal. The reality, said Jeremiah Grossman, is that, "only when a system is built and has value can we examine what works."

While they continue to search for ways to protect and defend their data, organizations need to know that they can survive an attack with little to no damage by installing trip wire policies, like honeytokens, which work like silent alarms, said Grossman.

Grossman likened the functions of honeytokens to being granted full access to rob a bank with only limited time. "I'm not going to get all the money," he said. Trip wire systems that alert network administrators to suspicious behavior allows for earlier detection which can stop criminals from accessing everything.

The final lesson, and the most important one, is that there is no shame in being breached. Yes, there are consequences, but there is no magic impenetrable security gate. "If you're out there on the internet you've been breached. The same attacks are going on across multiples. Share information with each other without giving proprietary information to competitors," said Bailey.

Join the CSO newsletter!

Error: Please check your email address.

Tags starbucksAnthemsecuritySally Beautydata breach

More about GoogleLogRhythmStarbucksTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place