Detection and Prevention
It seems that every week another substantial data breach is announced. Personal data such as Social Security Numbers, Credit Card Information, and even protected Health Information is routinely snatched by attackers. The FBI has reported that the average time attackers operate undetected within a victim network (the “dwell time”) averages 176 days. Corporate Information Technologies (CIT) has found that most of its new InfoSec engagements concur with this data. A good defense, including firewalls, Anti-Malware, Anti-Virus, Anti-Rootkit, and strong administrative computer policies, is no longer enough to detect or prevent a skilled and well-equipped adversary. Focusing on detection at both the network perimeter and internal systems is becoming more of an imperative as an organizations Information Security policies adapt to modern threats. This week Banner Health reported a substantial data breach that resulted in a-yet-to-be disclosed number of PHI/PII systems being compromised. According to the company they were notified on 7 July 2016 that attackers had accessed computer systems that process payment card data at some of its food and beverage outlets. This data is strictly controlled under PCI compliance requirements, which at the time Banner Health reported was fully compliant.
Six days later, it discovered that cyber attackers may have also gained access to information stored on some of its core servers.
“We immediately launched an investigation, hired a leading forensics firm, took steps to block the cyber attackers, and contacted law enforcement,” the company said in a public statement. “The investigation revealed that the attack was initiated on 17 June 2016.” For those playing along at home that is over three weeks of dwell time that attackers operated within Banner’s networks without detection. Imagine what an attacker could learn about your business if they had unfettered access to your computer systems for this length of time. For most organizations the answer to that question is “A damaging amount”.
CIT has invested heavily in the areas of detection, prevention, and training. Considering each of these a pillar within a well-balanced Information Security policy provides the inter-dependent relationships that are demanded to adequately combat current threats. In recent history, InfoSec, CISO, and IT Directors have focused nearly entirely on prevention – or defense – of/against attackers. With the mindset of keeping the bad guys out of the systems would mean that little effort would have to be spent securing internal systems. Essentially a Castle and Moat defense system. This strategy was largely effective for decades and rightfully so. The tide has turned due to the hugely interconnected nature of modern IT systems and as such so must the strategy used to protect business Information Assets. It is CIT’s opinion that detection must be central to an effective InfoSec policy. Delays in detection also mean that attackers may be able to use the data they gain during their dwell time to commit other crimes before either the victim business or third-party individuals or businesses affected by the breach are notified and able to take precautionary measures.
Banner Health has begun sending out letters to all patients, members of its healthcare plan, beneficiaries of its employment benefits plan and customers of its food outlets. It is doing so in accordance with US mandatory breach notification requirements soon to be introduced to Europe through new data protection and network information security legislation. The work done by US legal teams to implement such mandatory notification laws is exemplary. But for a moment consider that the notification process began seven weeks after the data is believed to have been compromised. That is over 30 days for the attackers to use (or more likely sell) the compromised data and potential financial ruin perpetrated through Identify Theft or other fraud-centric crimes against a totally unsuspecting population of Banner’s clients and patients. Factor in that the company expects the notification process to require through early September to be completed and some of those affected will not be notified of a potential risk to their identity and financial lives for up to 12 weeks after the breach occurred.
This is just one example of many that can be used to illustrate this point. Simply, the role of InfoSec must expand and embrace the concept that the castle walls are likely to be breached at some point. The sooner that we, those tasked with safeguarding business information assets, know about nefarious or unusual behavior taking place within the protected spaces means the sooner we can arrest it.
CIT provides many solutions for this including overlapping methods of detection that use behavioral controls, end-user testing and training, integrated Security Incident and Event Monitoring (SIEM), and cross-correlated global threat identification systems. If you are responsible for securing information assets or business technology systems please get in touch with us and learn what the state-of-the industry is for this critical area. The attackers know and are using this to perpetrate their crimes.