How to Spend Millions on Security and Still Not be Secure
To put it mildly, you could call Equifax’s recent data breach a “Cybersecurity Incident” – as Equifax itself did – or, more harshly a “Data Breach that Could Impact Half of the U.S. Population” as the media did (NBC in this case). But either way, the scale of the event is impressive.
We’ve become accustomed to reports like this one popping up in the news almost weekly, quoting the number of affected identities in the millions, but this one seems to have affected almost every household in the country.
The incident clearly demonstrates that cybersecurity is a never ending practice. And perhaps the most important lesson from these breaches is to teach us that security should be part of our regular life.
An Educated Guess – Look for an Inside Job
In engineering things break in a certain way; bridges do not evaporate and cars do not simply explode. When they do, look for some human activity. They say that it takes a combination of seven very improbable factors to make a modern passenger plane crash. On a similar note, it takes several very improbable events to produce such massive data leak.
Yes, there is constant Internet traffic aiming to discover potential breaches like this one wonderfully described by Bruce Schneier. However, this shadow traffic mostly attributed to state actors for whom the real attack might lead to an international incident so it should worth much more on a grand scale. Also, for such a massive leak of such specific data, there has to be multiple breaches of the same proportion, or multiple actions that make a single breach expose so much data. It is probably possible to take down a building with one hammer stroke, but it’s very unlikely. A simpler explanation is often the better one.
Afterall, when it comes to typical crime there is so often an insider who either opened a backdoor or tipped someone off about a failed lock on a window in the basement.
A Missing Link
Each organization employs many people to perform service work on its core IT infrastructure. It includes servers, network and IoT devices, storage, on-premises and cloud networks. These people could be internal IT administrators, temporary or outsourced contractors, vendor representatives and their outsource workforce. They see the data differently than regular users; often not permission trimmed or filtered by the job description. They have to have these kind of permissions to manage ad modern, complex computing infrastructure.
We’ve written about the problems of off-boarding IT admins before. However, with the growing complexity of the systems that support us, the definition of IT admin has grown too. Now it includes actors that should not have “God” accounts, but way too often they do.
Is it Possible to Avoid Equifax’s Fate?
The short answer is no. Remember, maintaining a reasonable level of cyber security is a continuous process. However, there is always ways to improve and to limit the number of vulnerabilities.
First, the idea of concentrating too much data in a single place is not a good practice. I believe that one of the most important results from such a massive breach is that country lawmakers should research new ways for financial institutions to evaluate an individual’s credibility and identity. Agencies like Equifax should not exist in the form they exist today precisely because they concentrate too much private data in single hands. Yes, it feels easy to have a single authority that answers all of our questions. But it’s not good to have such an authority because of the associated drawbacks. The decades old campaign of reducing the over-reliance on social security numbers in private institutions went pretty well. Similar nationwide regulation should be introduced in this case too.
For the rest of us, the next step in improving cybersecurity defences should be automating network access for users with elevated privileges. Minimise the number of credentials with elevated privileges, minimize the number of people who know these credentials, rotate these credentials often and provide access without revealing credentials with elevated access. Every time you give an admin password or a key to someone, you should consider it as a potential security breach.
We have made good progress in producing secure software. We have made a good progress in controlling the access of business users. But it all came with the price of multiplying the number of special users who can see our systems from the back door. Now it’s time to control that aspect of IT security too.
Xton Access Manager is an agentless, cross-platform privileged access management solution with unlimited licensing model built from the ground up with an enterprise feature set. Simple to implement, without your typical enterprise cost and effort.
Please fill out this form to receive a download link to get started today with free 60 days trial. Documentation is available to help. You can email or call us to request a trial extension, ask questions and share your feedback. We would love to talk to you.