It was January 2012. Zappos, an online shoe and apparel shop, was hacked. USA Today opened their story: “Hackers were able to access Zappos customer’s names, e-mail addresses, addresses, phone numbers, the last four digits of credit card numbers and cryptically scrambled passwords.”
“For the untrained eye it reads like a breach, but for the trained eye, you go and ask, ‘Why would anyone take the last four digits of a credit card?’” said Tsion Gonen, chief strategy officer at SafeNet. “The answer, by the way, is that the other 12 were encrypted. They actually took 16 digits. There’s just nothing to do with the first 12. And this is a great example of a great securing-the-breach type technology and mentality.”
For an online retailer, a breach can be deadly. Losing credit card information is a mess for both the business and their customers, and with competitors only a click away the danger of someone deciding to never use your service again is quite real. Chances are, at some point, you will be breached. When that happens, make sure it’s done securely.
“Encryption is what I refer to as the get-out-of-jail-free card when it comes to privacy and security. It’s that important.” said Rob Scott, managing partner of Scott & Scott LLP. “The number one thing you can do as a company is to make sure your that your data remains encrypted.”
So far in this series we’ve learned a few things: Everyone’s confused from executives to IT people, and many attacks are easily avoidable through basic breach prevention technologies. But a shift is underway in cybersecurity and has been for some time. The focal point is slowly moving from being centered around breach prevention towards a new middle ground: slow down the attackers best you can, but when you’re breached, be ready.
Protect Your Children
“Nobody thinks that you can really prevent unauthorized access to information,” Gonen said. “You can slow it down. You can make it harder. I think that the industry has come to this place where they totally understand that breach prevention, as a sole strategy from an investment perspective, is not going to work, or it’s going to work, but it will take you only so far.”
It’s analogous to burglary, Gonen said: If no one’s home and someone breaks in, I’m not that concerned. If I’m alone in the house and someone breaks in – a little more concerned, but not really. If I’m in the house with my kids, now I’m getting really concerned. If we’re all in the house and they break into my kid’s room – that’s where I freak out.
“There are different levels of what matters,” Gonen said. It’s the key data, the kids’ rooms, that needs protection, not just the house in general. “What you would read is someone went into the database and took everything that was there. Someone went into a file server and took the finance shared folder. There are different repositories. The kids’ rooms are not all over the place. They’re in certain places.”
There’s also the issue of who has access. Not all breaches are from the outside. Oftentimes the most dangerous ones can come from within.
“You have the issue of contractors, vendors that have been granted access to data and information that’s necessary for them to get their job done, but you don’t necessarily know the background of the specific individual that is doing the work,” said Robert Fitzgerald, President of The Lorenzi Group, a digital forensics company. “It’s easier to hit any size company by going after their vendors or small support staff than it is by going after any company direct.”
Think PRISM whistle-blower Edward Snowden to get a sense of the potential dangers business face: a vendor with not just keys to the house, but direct access to all the kids’ rooms.
Shift in Focus
“I love to talk about continuous monitoring because it’s such a simple concept that when people finally realize what the hell I’m talking about, they go, ‘Gah, we’re so dumb!’” Fitzgerald said. “It’s the change in behavior that raise the yellow and sometimes even red flags to say, hey, what’s going on here.”
The primary goal is still to keep unauthorized users out, but by watching the data, by keeping an eye on the kids’ rooms you can look for anything unusual: who is accessing those critical files, how often are they doing so, are those files being copied. As Fitzgerald says, “Any time there’s an anomaly, just look into it.”
Gonen said SafeNet’s “Secure the Breach” philosophy is based around three things:
- Situational awareness: Understanding what you can potentially lose (what are your kids’ rooms)
- When something is taken, make sure it’s worthless (think encrypting credit card numbers)
- Mitigation technologies: when someone or something gets in, quarantine them and get them out of the system
“People think, ‘Oh my god it’s a $10 million dollar solution what am I going to do.’” Fitzgerald said. “This stuff doesn’t have to be super expensive. It doesn’t have to be a $2 million solution. In most cases it can be a very, very cost efficient solution. In fact we’ve seen it with some clients that we’ve advised, some people that we’ve consulted with to build their own systems or whatever, getting it down to $1 or $2 a day per employee.”
“Now the question is, okay, once you’ve invested enough or made it harder on the breach-prevention side, what are you going to do post breach prevention?” Gonen said. “Today the market is not balanced. There’s way more money invested in breach-prevention technologies because that’s what people understand and know. That’s where the blueprint exists.”
And that shift is slowly taking place. These technologies can also go a long way towards preventing every businesses worst nightmare: the long-term breach, the next part in this series.