With the recent news of huge conglomerates such as HBO and Equifax suffering from cyber attacks, companies are heavily arming themselves against the threat of a hack. However, these recent hacks highlight the continuing difficulty of protecting against them. If someone wants to get in, they’ll usually find a way.
Cyber security protection has traditionally meant investing in protecting a network and its assets; assuming you can avoid the worst. Yet as history is showing us, it’s now about how you respond and recover, on top of the traditional protective approaches.
Truth is, companies can prepare as much as they like, but today there are so many cyber-attack vectors that it’s virtually impossible to anticipate all of them. The most common types of attacks include malware, phishing, theft of credentials, Denial of Service (DoS) and web application vulnerabilities.
But, possibly the most common weakness is where attackers take advantage of the human element of an organisation through social engineering. This is where attackers might infiltrate the physical headquarters of a company, sweet-talking their way past reception, or pretending to be a worker and stealing data, or sending malicious links around the office pretending to be the CFO.
Where there’s a will, there’s a way. Businesses need to be prepared for any eventuality.
The implications of the Equifax hack
The Equifax incident has potentially devastating implications, more so than a few leaked episodes and emails like what we saw happen with HBO. We are dealing with 143 million stolen personal records. Equifax is one of the three major credit reporting agencies in the U.S., which means it holds some of the most sensitive consumer data, including names, birthdates, addresses, credit card numbers and social security numbers. The fact that the one place where personal information is supposed to be safe falls under an attack like this makes people question whether their information is safe anywhere at all.
Equifax will have to spend a lot of money to fix the issue, which will potentially include adopting completely new credit monitoring software, as well as the cost of legal fees and potential lawsuits.
Its biggest concern is likely the potential damage to reputation, which could result in even greater revenue losses down the track. In fact, its shares went down 32% from the day before the attack, at $142, to $96 on the 20th September.
Reputation with stakeholders, advertisers and employees is at risk, and it doesn’t help that three Equifax managers sold shares with the company, worth $1.8 million, only days before the hack was revealed to the public. If the leadership team doesn’t have faith in the company, how can stakeholders be expected to have faith in the company?
The comprehensiveness and effectiveness of the Equifax security capability is questionable. The attackers exploited a well-known Apache Struts vulnerability, for which a patch was provided to the market back in March 2017. Further evidence arose that the Equifax web portal that was secured by just about the worst username and password combination possible: admin and admin. Patch Management, changing vendor default passwords and the use of multifactor authentication for administration interfaces (or not publishing them to the internet in the first instance) are all basic controls included in any governance framework or industry standard. What was happening at Equifax?
Prepare to react
The lesson to take from this isn’t simply “get better security”. The solution doesn’t just lie in prevention then, but also in reaction. This is where you can get a jump on cyber criminals and put your business in the best position. It’s time to realise it’s inevitable someone can and will hack you.
Of course, nobody is suggesting that you ignore having the best cyber prevention technologies in place – they’re must-haves and beneficial at making the job of breaking in harder. But, companies need to up the ante on detecting and responding to the attacks when they occur, as well as pre-empting them.
Effective Incident Response can make all the difference to the outcome of a serious cyber security incident and prevent serious losses outside of ransom demands.
This will become increasingly important as Australia’s Notifiable Data Breach bill comes into effect in early 2018, when organisations covered under The Privacy Act will have to notify the Privacy Commissioner and their customers of data breaches.
The aim of this is to stop occurrences, such as those with Equifax, whereby the company discovered the intrusion on the 29th July, and chose not to inform the public until a much later date. The company even gave its employees enough time to mitigate their personal losses through the sale of shares, whilst leaving its customers in the dark.
How to strike back
Response to a cyber-attack will vary based on initial assessment of an incident, but the quality of that response will only be as good as the preparation before it happened.
Once an incident strikes, there’s no turning back the clock, which is why it’s critical to act beforehand by devising an Incident Response (IR) strategy that includes communication plans, roadmaps and playbooks. Responding essentially means figuring out what went wrong, what’s missing and ensuring it doesn’t happen again.
When it comes to reducing the likelihood of an incident, this is where adopting services such as compliance auditing, detailed configuration reviews (host security assessment), vulnerability assessments and penetration tests are critical.
Another way to find specific flaws in an organisation’s cyber security is through conducting a Red Teaming exercise. This involves engaging an outside agency who will purposely attempt to hack the company’s systems.
It’s a real life cyber-attack, but in a controlled environment, where you know your information is still safe. It will often uncover ways to bypass security controls you may not have thought of and helps IT teams learn how to quickly discover when IT systems are under threat. Even better, it shows the vulnerabilities within the human element of your organisation.
Where the real value lies though is in preparing IT teams for when an attack does occur and how to respond to it. Going through these processes regularly will help your IT security teams fine-tune their responsiveness to a hack, as well as what to do when (not if) it happens.
Despite the best technology and the biggest budgets, unexpected situations still arise. Now more than ever, response has become just as important as Protection and Detection. Preparation is the secret, and lots of it. Scenario planning, threat modelling and understanding your business objectives are critical in being able to identify and appropriately react to cyber threats.
About the Author:
Jason Edelstein is the CTO and co-founder of Sense of Security, one of Australia’s oldest and most trusted cyber security firms. To see the range of services Sense of Security provides, head to www.senseofsecurity.com.au.