Security product vendors often say that their products will block malware or trojans from getting into your network. This is slightly misleading. They should say that these products can block malware and trojans. To get them to actually block threats into your network they have to be configured properly. This is one area where you don’t want them deployed by someone that can figure it out or fumble through it.
Recently the thermostat in my house stopped working 100%. It worked just fine if you wanted air conditioning. However, if you wanted heat you were out of luck. Before we knew it was the thermostat we contacted a local heating and air company. We figured it was the heater. We weren’t experts on HVAC systems but it seemed reasonable if the heater wouldn’t come on and the AC would that the heater was out. Once they inspected everything we learned that it was the thermostat. It took hiring the right people to make the determination and what our proper path was to restore heat to the upstairs. I had no idea what to do with a heater.
As an American male I understand the desire to give it a shot myself first. We look at a problem or a situation and our brains immediately go to how can we do it ourselves or with a group of buddies. If there is a tree down in the backyard our first thought is how soon can we get to the store and purchase a chain saw. We have it all worked out in our head that we need to cut here and there and we fast forward all the way through the project.
With data security things can’t be done with the same attitude. In the network security field we have to change our approach from reactive to proactive based. It isn’t what we will do once the tree falls down, it is what can we do to keep the tree from falling.
Most security products are reactionary. They respond to an event based off of a signature they already know about. This in and of itself is not that difficult for a product to do. Firewalls, anti-virus, intrusion prevention, etc. all use this model. Some manufacturers tout their products ability to train itself, or to learn about emerging threats. This model is also flawed. Network security products can be purchased by an attacker and they can figure out very easily how to bypass this device. Additionally, the truth is these products do not learn all that quickly.
There is a quest in the network security world to find products that can automatically detect and respond to an attack. When the device or software detects an abnormality in a packet it can perform an action like shut down the firewall port or disable the workstation. That sounds so cool on paper. After all don’t we love automation?
Blindly following the advice of an autonomous product can be a costly venture. One of two things will happen. First, you are putting your trust into a device that can only detect what it knows about. If the device doesn’t know about it nothing will happen. Think about this from an outsiders perspective. We know instinctively that Target, Home Depot, K-Mart, and Dairy Queen all had firewalls, AV, and IPS. Yet they were still hacked and data was extracted from their networks. The reason is the malware was morphed so the typical automatic tools wouldn’t catch it. These attackers knew what they were doing and found a way to beat the system. You can finger point all day long if it was a third party or failure of this or that…all of that is irrelevant. The tools on the network failed.
The second problem with automation is that the device could overreact. I recall several instances where a client was using a firewall that was set to detect and block malware on a network. If the device saw strange activity from an internal device it was set to block that device so IT would have to look into the problem. All of that would be great except the day when they were really busy and the amount of DNS requests was legitimately higher. The firewall thought it was malware and shut down the DNS server stopping all traffic on the network. I could name numerous others where an overzealous security product stopped traffic on the network and shut off internet requests for everyone. The common reaction to this one is to shut off the security product (that statement is typically preceded by a four letter word) and stop using it all together. Now the network has little to no protection.
Automation and reaction-only based security model is not the key to safe data and will lead companies down a bad road. I think these products can be used but only in conjunction with human analytics and in a controlled format. Log management, log review, assessments, and training for the entire company. Getting real insight and advice on a network is critical to securing your data. Before submitting your 2015 budgets take a look at what you are spending on these analytical approaches to security and what you are spending on the automated tools (Firewalls, IPS, AV, IDS, Managed Security). Automation-only isn’t working for anyone.
A security assessment or penetration test that only focuses on the vulnerabilities and missing patches are too narrow in scope. This is a limited view and doesn’t provide you with an overall picture of the risk an organization faces.
Organizations need an assessments that looks at not only the vulnerabilities that exist, but what all the various risks are. Having a Windows patch or Adobe Reader up to date is not going to solve your security risks. These are important but too narrow. It is like driving a car that cannot turn left or right, it only gets you so far before the road ends.
Assessments are most likely required in your organization. Spend the money wisely and get one that actually helps create a more secure environment. Not just one that allows a box to be checked off a list.
No one starts playing baseball in the major league. The typical major league ball player starts in a Babe Ruth type league, goes on to play in high school, then college, then the minor leagues, and finally the majors. Even once they make it to a pro team, like my beloved Baltimore Orioles, they often do not start every day right off the bat. They work hard to earn a spot on the regular roster. It is only once they make it to the big’s that most people learn about them and what they can do. The number of people that knew Cal Ripken before he played for the O’s is small. The number of people that know Cal Ripken now, is vast.
Many organizations feel they are not going to be a target of a cyber attack or data breach. The common mentality is that they are too small or not important enough or they don’t make enough money. This way of thinking is too narrow for today’s world and very dated.
Target, Home Depot, Jimmy Johns…the attackers didn’t start with them. This wasn’t a trial run. This was their major league debut. They started in the minors. Small and midsize businesses were the training ground where their skills were perfected.
And coming up behind them is the next wave of major league players ready to hit more home runs that their predecessors. Where do you think they are learning their skills? Your network is the practice field.
The news media as well as people I talk with usually focus on the large scale attacks. They are aware from the news that Home Depot, Target, and P.F. Changs were breached and credit card data is at risk. These attacks are great to make public to raise public awareness, although as I previous wrote about does little to change behavior.
What people often don’t think about is the fact that your local hardware store, grocery, and Chinese restaurant are not necessarily safe. They could also be the target of a smaller scale attack. They are just too small to be discussed on Fox news and CNBC. Attacks on these size businesses often go unreported and not documented.
So my question for any organization out there, did you spend more money on security than Home Depot, Target, or P.F. Changs? Why would you be safe and not them? The malware used for these larger attacks was tested somewhere on a small scale first.
I found myself in a very familiar place this weekend. The same place I find myself most weekends to purchase this or that. The same place I have spent a good deal of money at over the years…Home Depot. I went in to take my kids to the regular building event they have on the first Saturday of the month. While there I was thinking about a few things I needed to grab. WD-40, a GFCI receptacle to fix that issue in the garage, and some wood for my son to further develop his handyman skills. Right before we checked out I looked at my wife and said, oh crap they were just hacked. We then had to decide if we would complete our purchase or leave and go to Lowes which is right across the street, who happens to carry the exact same stuff at the same or similar prices.
This is not the decision you want your clients contemplating about your brand. It is hard enough to get a client in the door. Once they get there you have to make sure the environment is right, you have the right products on the shelves, the staff is friendly and helpful, and the experience is an easy one. You can work for years perfecting your brand and the client experience, however, hackers don’t care. In fact they look for companies who have done just those things so they can take advantage of you.
We live in a new and complex world where cyber security is as important as brand marketing. We can solve the threat from credit card theft by all of us switching to cash, but we know that isn’t about to happen. So what is your cyber security plan?
There are reports from the financial industry that Dairy Queen may be the latest company to be the victim of cybercrime. DQ says that they have no reports of this, however, most of there stores are franchises and there is no established process in place to report a security breach. So it is possible several of the franchises are the source of this activity by thieves.
This story demonstrates a problem with national or franchise brands. If the above story ends up being true the franchisee will not be named in the headline of the story, rather the parent company Dairy Queen even though they were not directly responsible in this case.
I am not trying to call out DQ specifically, rather I think this demonstrates an issue with franchises. If I go to a McDonalds in Orangeburg, SC and get a bad meal I say that McDonalds was terrible, not the local guy who owns it. It may change my opinion on the whole company. I went to an Applebee’s years ago and they gave my son moldy applesauce, we have not been to another Applebee’s since. You remember the experience you had with the parent brand not the franchise.
You have to control your brand weather it is in food, hotels, coffee, or security. Your brands name is on the line. Starbucks does not franchise for this very reason, they want to protect their quality. If you are a franchisor you have to establish clear security practices and subject each office to an assessment as part of the agreement. The requirements for security need to come from the top down. IT security is as important as any other area of the business as a breach will be very costly.