When Target was breached a little over 24 months ago, it was called the biggest data breach to date. Then there were breaches at Home Depot and JP Morgan Chase followed by Anthem and the landmark event of 2014/2015 with the Sony data breach, an event that prompted the United States to issue sanctions against North Korea. Cyber security suddenly became a topic of discussion at board level and senior executives across industries started to ask questions on whether their organisations were prepared for a cyber-incident.
In an earlier article we explored whether boards were cyber aware or were they were being coached about what it means to be cyber aware. The areas considered ranged from board expertise to media management in the event of a breach.
Considering there has been another landmark cyber breach, this time within the US Government at the Office of Personnel Management (OPM) to the tune of 21 million records stolen (a number which is still being verified and could be higher) these are interesting times for organisations from a data security and breach readiness perspective.
In a recent Senate hearing citation, OPM acknowledged that “the total number of records affected remains unknown -- and may never be known”. This probably resets the baseline, given the enormity of the volume and type of data that has been compromised. Considering this data is personal information on current and ex-government employees including spies and undercover members of the US Government, the fallout and long term implications of this breach remain to be seen.
What is fascinating about the OPM breach is that as more information becomes available, it is becoming evident that OPM has been compromised before. There was a data breach in 2013 where the intruders took enough information to determine the layout of OPM systems, network, and associated applications.
The reason I have raised this earlier breach is that OPM’s response is something that I hear most boards and senior business executives give: "…we did not have a breach in security. There was no information that was lost. We were confident as we worked through this that we would be able to protect the data."
What I find fascinating is that OPM cannot even say we had no idea such an event would occur, considering they had already been breached twice before. Common sense would suggest that the responsible officers would actually ask simple questions like, now this has happened, what are the learnings, how do we make sure it does not happen again, and what would it cost to secure our environment?
If these questions were asked, then it would be interesting to understand what management actions were taken to ensure this did not happen again. It is particularly curious considering the information at risk includes the most intimate details about US public servants, who handle the most highly classified secrets of the United States.
What the cost of the breach was pegged at and how the decision not patch or remediate was justified would be an interesting exercise.
I narrow my discussion to a system perspective because most it’s systems that act as gateways into organisations which are compromised, and most often than not, neglected or systems considered low risk from a breach perspective. Otherwise, breaches occur through web applications that have either not been patched or securely developed.
If we look at attacks and breaches that can be attributed to lack of system patches, this is a staggering 44% according to the HP 2015 Security Research Report. In my opinion this is just unacceptable.
The justification that is often provided for the non-patching of systems for identified vulnerabilities can be summed up in the following five excuses:
- The responsible stakeholders sign off on the risk without having an end-to-end understanding of what the real business risk of not patching their systems is.
- Business cannot afford the downtime as that would impact either a critical production process or more, have an impact on customer services.
- Systems are too old and cannot afford an update to required patch levels.
- The business cannot provide confirmation or do not know how the application will respond as there is no test environment where the patches can be tested.
- The business does not have funding to undertake security patching and associated testing of the applications.
All of these excuses demonstrate a lack of understanding of the compound risk of unpatched vulnerabilities on systems that are ripe for compromise.
Given the numbers of hacks and breaches through 2014 and now 2015 have grown rapidly, it is nothing short of criminal to leave vulnerabilities unpatched on critical internet facing systems where a patch has been available in some instances for almost five years.
The questions boards should be asking are:
- What is the security threat posture of their organization’s internet facing systems and key internal systems, when were these systems last patched or secured and what is the state of open vulnerabilities on these systems?
- What is the end to end controls posture of our organisation? Why is it not presented as a risk metrics report which is linked back to strategy initiatives and threat descriptors?
- What is the risk posture of third parties such as suppliers or partners?
- Do we understand the split between known third parties and shadow IT or cloud enabled services that have access to our network?
- When was the last time our organisation actually ran an end-to-end mock cyber incident and/or data breach exercise to understand the response plans and operating controls that will be initiated not if, but when the data breach incident occurs?
If a board starts with the premise that the organisation will be breached and works on understanding the actions it needs to take when its breached, then the discussion across the business and technology leadership teams becomes about effective mitigation. This is a much better place to be than “…there was a breach and we do not understand the full extent of the compromise”.
This article is brought to you by Enex TestLab, content directors for CSO Australia.