Aug 13, 2015

What can be learned from past security hacks?

When a high profile company is hacked, what's the best way to look at that experience and break it down in order to improve my company's risk profile?
Related reading at

What CIOs can learn about security threats from 4 recent hacks

This covers 4 hacks:
Office of Personnel Management (OPM)
St. Louis Cardinals hacking the Houston Astros
Ransomware resume phishing
CEO money transfer spoof

Tip on phishing attacks: (excerpted)

There is ultimately one main solution to a phishing attack, which is to constantly educate employees. There are always new attacks. The education should involve phishing tests where employees have to make the right decision (such as not clicking a link or not responding). If they fail the test, the company needs to do additional training.

- Caleb Barlow, vice president of security at IBM
One thing that can be a challenge is the tendency to fight the last battle instead of preparing for the next one. For example, Sony had millions of users' data compromised in a well-publicised breach in 2012. It responded by taking a number of steps to prevent the same thing happening again. That's good, but if a company stops there it's not good enough.

Also, a company has to share what it learns from one breach with all the divisions/departments within itself. Because Sony has a very siloed structure, the Sony Pictures division learned nothing from SCE's unfortunate (and very costly) experience, and they had another huge data breach in that division. There has to be some procedures in place to share information across the company to improve security - each division can't act as it's own fiefdom and effectively collaborate on security solutions.
Great read over at Computerworld on this topic by security expert, Ira Winkler.

6 reasons why there will be another OPM-style hack

On this topic, excerpted from the article, he says:

We fail to learn from past hacks

Sure, I’m overstating the case. But while there definitely are some astute organizations with strong security programs, most organizations are not incorporating threat intelligence into their security programs, or at least not constantly updating their systems to ward off new types of attack.

Most tellingly, the White House only a couple of weeks ago ordered all federal agencies to implement basic security measures. The fact that this had to be directed in 2015, after decades of hacks into government agencies, is outrageous. How many hacks has it taken for the government to do the very least that should be done? And having to play catch-up at this late date means that the most up-to-date countermeasures will have to wait. How many more hacks will we see before then?
Answer this