In these latest incidents we are seeing a continuation of a theme - if your company holds passwords and account information for customers, and you have an online method for those details to be used or accessed, there is a real threat that you could end up in the news for all the wrong reasons if the criminal gangs behind these attacks turn their attention to you.
So what is the new normal for companies wanting to prepare for a cyber breach? What steps should organisations be seeking to put into place in order to have the best possible response to a breach incident?
STEP 1 – Recognise your risk (update the ‘risk register’): Your risk register should – by default – hold the breach of customer account information as a defined risk and its potential to be obtained by the very real threat actors out there. It is very clear that this information is being targeted by hackers – it is important for organisations to carefully assess exactly what customer information they are culpable for in order to understand the level of risk they are exposed to.
STEP 2 – Secure the data (implement and verify the right controls): Your standard controls should include strong hashing with a protected salt. Complex passwords should be enforced, and the standard security hardening, patching and testing needs to be conducted. Passwords do not normally need to be stored in a reversible manner (such as encrypted, and clearly not in plain text or simply obfuscated).
You will need to accept a level of risk in your internet and email connected environments and remove your sensitive data into a hardened core. This core may not even be connected to the open internet at all. Think of this network model as looking like an avocado. You cannot rely on the traditional model of a hardened outer network shell, much like a coconut. Recent hacking incidents, spear phishing attacks and drive by downloads delivering custom malware, have all shown that this model is outdated and vulnerable.
STEP 3 – Monitor your environment (define standard monitoring, know what is happening and actively hunt on your network): Your ‘business as usual’ practise should ensure that you have active monitoring in place, with your data stored and protected well back from your public servers.
Any active changes, non-standard behaviour and unauthorised activity should be monitored across the network and alerted. An incident response plan should have been tested and rehearsed to ensure a breach can be detected BEFORE data extraction occurs. Make sure the path to your data is lined with multiple trip wires (monitored events) to ensure the hackers’ chain of actions prior to data extraction can be seen (reconnaissance, weakness exploits, delivery, extraction, etc). This will give you multiple opportunities to intercept and stop.