Though all vastly different in scale and impact, the breaches at the Office of Personnel Management (OPM), Sally Beauty Supply, Starbucks, Anthem, Adult Friend Finder, and Penn State teach valuable lessons and reminders about security vulnerabilities and the need to do more to protect against attackers.
When data has been stolen, the breached organizations are in the spotlight. As they try to do damage control, those who have yet to fall victim to invasion wonder how they can avoid future public scrutiny.
"A lot of these breaches don't teach us, they remind us of things. There are few novel things in breaches. Most breaches are same old, same old: security is poor," said Jonathan Sander strategy and research officer at STEALTHBits Technologies.
Sander also noted, "From a PR perspective, security is a losing game. No one will ever congratulate you for prevention, but everyone will flog you for failure." In order to barricade themselves during flogging, organizations queue the protocols, drop the blinds, and close the gates once they've been breached.
I reached out to several companies who have recently been breached, and repeatedly I received a kind note explaining that no one was available to speak to me. It felt like one of those dark family secrets that everybody knows about but no one will actually discuss.
Corporations are no different from families when it comes to protecting their reputations. To their credit, several of those recently breached are taking all the right steps. Penn State, Sally Beauty Holdings, Adult Friend Finder, and Anthem have all posted press releases outlining their responses to the attacks, which include bringing in third party forensics and legal counsel.
If the scope and depth of the OPM breach confirms anything about information security, "It reminds us that any time documents flow back and forth, you have a very heightened risk that demands special attention," Sander said.
Starbucks serves as an imperative reminder that end users don't protect their passwords. "In the case of Starbucks, the hackers got known password and email combinations," said Sander. If people are using the same password on a silly chat site as they use for their bank, they are making their accounts vulnerable.
"Users treat security of their own data haphazardly. Users need to take responsibility," Sander said.
Human error on the user end is not the only gateway for criminals to hack into a network, so companies need to focus on risk assessment to effectively plan for prevention, detection, and response. "There is no way to understand all the ways something can be breached," Sander said, "because the ways to be exploited are far greater."
Jeremiah Grossman, founder at WhiteHat Security, said about these six breaches, "Not all the details are available yet, but one thing we've learned is that they were defendable." Organizations need to see these attacks not as a swipe of the brow and "glad it's not me" moment, but a serious reminder that the criminals are sophisticated.
A lesson of great value is for companies to understand the value of risk analysis. In order to build the best defense, organizations need to know where their vulnerabilities are. Investing in tools and programs can be a fool's errand if security administrators are only running through a compliance and regulation checklist without a strategy.
"OPM got hacked on a system they didn't know existed. Risk management usually comes after the hack," Grossman said, "so first understand what you are defending, what the threats are, then look at products."
Knowing what they are protecting against is crucial for companies to position themselves for stronger defense, agreed Lamar Bailey, director of security research at Tripwire. "You need to go above and beyond the lowest common denominator to secure your network," said Bailey.
"Product and solutions are great, but don't over invest in security. First, you have to know how you are integrating them into a security program," said Bailey.
These breaches and others also highlight the malicious intent of criminals. While Starbucks and Sally Beauty Supply seem to be the victims of criminals looking for financial gains, OPM, Anthem, and Penn State prove that some criminals have far more malicious motives.
"OPM was targeted for the rich, single, source of federal employee identities. If you target individual federal entities, then you get that entity's information, but if you target OPM, you get the information for all the federal entities," said James Carder, CISO at LogRhythm.
Carder pointed out the weaknesses that are the root cause of information technology, which include weak access controls and the need for identity management. "The protection of applications and data using stringent authorization and access controls (identity management) should be a focal point across all federal agencies."
"Identity management is something that the government and most companies do a very poor job at but it is the single element that defeats most security controls today and also the single element that is consistent across anything and everything related to security," said Carder.
But what if everyone were an outsider?
Carder said the most important lesson learned from these breaches is the need to eliminate the element of human error. "There is a crowded cloud environment. Move applications into a locked down infrastructure instead of trying to protect everything. Get rid of the human element," said Carder who argued that it is possible for organizations to prevent hacks by doing what Google has done with Google Beyond Care.
In their whitepaper, Rory Ward, site reliability engineering manager, and Besty Beyer, technical writer specializing in virtualization software for Google SRE, wrote "The perimeter is no longer just the physical location of the enterprise, and what lies inside the perimeter is no longer a blessed and safe place to host personal computing devices and enterprise applications."
In theory, this rip and rebuild approach to protecting data by completely redesigning the infrastructure to eradicate human error is an idealistic goal. The reality, said Jeremiah Grossman, is that, "only when a system is built and has value can we examine what works."
While they continue to search for ways to protect and defend their data, organizations need to know that they can survive an attack with little to no damage by installing trip wire policies, like honeytokens, which work like silent alarms, said Grossman.
Grossman likened the functions of honeytokens to being granted full access to rob a bank with only limited time. "I'm not going to get all the money," he said. Trip wire systems that alert network administrators to suspicious behavior allows for earlier detection which can stop criminals from accessing everything.
The final lesson, and the most important one, is that there is no shame in being breached. Yes, there are consequences, but there is no magic impenetrable security gate. "If you're out there on the internet you've been breached. The same attacks are going on across multiples. Share information with each other without giving proprietary information to competitors," said Bailey.