With over four billion records leaked last year, “2016 was a defining year for security” reported IBM X-Force in its recent report. For me there were three brief highlights from the report:
- “The average client organization experienced more than 54 million security events in 2016”—only 3% more events than 2015
- Client organizations experienced an average 12% decrease in attacks in 2016 compared to 2015
- The average monitored client was found to have experienced 93 security incidents in 2016”, down 48% from the 178 discovered in 2015
This means an unprecedented amount of records were exposed last year, even though the total amount of attacks reported went down. IBM X-Force’s conclusion: this likely means that the hackers are getting better at their jobs. Hackers are finding what works and what doesn’t and are focusing their energies on time-tested attacks.
Also, unstructured data was hit hard in 2016. We are all used to the data breaches where structured data like passwords, credit card data, or personal health information is exfiltrated and sold on the black market to the highest bidder, but 2016 saw large amounts of unstructured data exposed, such as “gigabytes of email archives, documents, intellectual property and source code”.
This rise in unstructured data breaches is not entirely new. This kind of hack has always been a concern for businesses (such as with the Sony hack of 2014). Yet the rise of exposing sensitive, embarrassing, or strategic information should be a concern to anyone looking to keep their secrets, well, secret.
Every business relies on its interoffice communications, meetings, and business strategy remaining away from their competitor’s eyes. While corporate/nation state espionage is not new, these recent high profile hacks could signal to bad actors that there is money to be made in more than just the usual structured data ‘smash and grab’.
A Success Today, a Threat Tomorrow?
X-Force not only analyzed the list of publicly disclosed breaches per industry vertical, but they also analyzed attacks monitored in client environments. From this, they compiled a shortlist of not only the five verticals with the most disclosed breaches, but also the five verticals to watch out for as attacks in these sectors are increasingly on the rise:
Most Disclosed Breaches (in order):
- Information and Communications
- Government
- Media and Entertainment
- Financial Services
- Professional Services
Most Attacks Reported (in order):
- Financial Services
- Information and Communications
- Manufacturing
- Retail
- Healthcare
In this case, verticals like financial services should be of concern. While they rank number four for breaches, they are ranked number one for attacks. What the data suggests is that while they are under tremendous attack they are, as of today, successful in repelling most of those attacks (only leaking 200 million records in 2016).
As we saw in earlier discussion, hackers are continuing to hone their skills. Tactics that are successful in repelling them today may not prove as successful in the future. I feel that financial services may be in a race against time to stem a rise in breaches.
One of the first things that the IBM X-Force Report recommends as next steps for any organization is to “practice security fundamentals.” As a final takeaway, here are three things I feel that all organizations should have in their arsenal of data security fundamentals:
Adopt a “Zero Trust” Model. Move towards Forrester’s data security model, Zero Trust, in which you “never trust, always verify” any traffic within your network. All end-users should be able to present valid login credentials as well as authenticate themselves with multi-factor authentication for each session logging into the network.
Beyond that, all traffic and users should be monitored in real-time to make sure they conform to prescribed, normal patterns. Systems are often infiltrated days or months before a breach occurs. In many cases, you have the ability to stop a breach before it happens.
Thoroughly Defend Your Data-At-Rest. Multi-factor authentication and real-time monitoring is a great first step to making sure you data is secure. Encryption and encryption key management, however, are one of your last lines of defense; and they are often neglected. Your information security team should go through the discovery process of locating all sensitive information in your organization and then set to the work of encrypting it.
To make the work easier, there are quality centralized key managers in the marketplace that will securely manage the full lifecycle of your encryption keys. If you don’t have Transparent Data Encryption (TDE), look for those that come with SDKs to help you leverage the native encryption libraries of your database of choice. If you do have TDE, look for vendors with a track record of working with TDE, as it will make the project that much easier.
Lastly, plan for ‘when’ not ‘if’ you have an attack. In December of 2016, The National Institute of Standards and Technology (NIST) released its recommendations on how to effectively recover from a data breach or other malicious attacks. In it, it recommends that your team be constantly testing your system for vulnerabilities, building a more secure environment, and planning both your tactical and strategic response when an attack occurs.
Your only edge in an attack is how well you have prepared, in advance, and are able to execute on that planning. If you haven’t started, start the work now.