[BreachExchange] Hacking is a booming business, and it’s time for a disruption

Audrey McNeil audrey at riskbasedsecurity.com
Fri Feb 23 10:20:35 EST 2018


Hacking is a booming business. Business has been good for several years
now. Data breaches are at all-time highs. Cyber-attacks are skyrocketing,
and ransomware is a growing fad. And the best news of all is that the same
old tricks (see XSS, SQL Injection, SPAM ….) are still working just as well
as they always have. How is it possible that a business that was estimated
to cost the global economy $450 billion dollars is continuing to grow? That
is a lot of money diverted to criminals in lieu of legitimate participants
in our global economy.

As a wise man once said, the definition of insanity is to do the same thing
over and over again while expecting a different result. The same could be
said for the two main pillars of most organizations’ security strategies
today: a strong perimeter (read firewalls, intrusion detection/prevention,
spam filters, VPNs, etc.), and a desktop security suite (anti-virus).
Clearly this is not working, so why do we keep doubling down on more and
more sophisticated and expensive variations of the same thing?

It is time for a different approach, and a different approach starts with a
different set of assumptions. First and foremost, the cyber-crime economy
is increasingly trafficking in data, not just havoc. Denial-of-service
(DOS/DDOS) attacks are intended to create havoc, and while they have their
place, havoc is only a worthwhile endeavor when targeting a select handful
of highly visible organizations. Plenty of smart minds are developing
solutions to head off DDOS, but what are we doing to stop the more mundane,
but booming business of data theft?

Cyber criminals seem to realize that there are many lesser prepared (see
Equifax) or smaller organizations which are repositories of highly valuable
data. That data can either be sold, like credit card numbers and social
security numbers, or used to profit from insider trading (see the attack
launched against the SEC).

In my humble opinion, the state of data protection is pathetic, to put it
kindly. The fact that any organization housing sensitive data lacks a
sensible encryption strategy is a crime all on its own, but that is the
state of the world we live in. It is time to tear down our assumptions
about security and, in some ways, start over.

I am not the only person to advocate substantive change. The password seems
to finally be on the short list of ideas that need to go if we intend to
secure our cyber world. Embracing biometric multi-factor authentication is
a nice step towards preventing broad password theft, and it makes
leveraging a stolen password substantially harder. However, passwords are
one small (albeit important) piece of the problem.

In general, organizations have no specific, dedicated strategy for
protecting data. Such a strategy starts with a commitment to understanding
who owns data, how that data is intended to be used, and how to protect
that data end-to-end, through its entire lifecycle. As a simple example, an
organization near the leading edge of data protection may keep all of its
sensitive documents stored in a document management system that implements
pessimistic permissions (i.e., you can’t see the document unless you really
need to). But what happens when that document is downloaded and edited on a
client device? What happens when that document is shared with a partner,
customer, or colleague? Once data leaves this central repository, it is
either not protected at all or the person downloading that data is
responsible for implementing appropriate protection. Neither situation is a
good one.

It is time that we re-think our cyber security strategy from an entirely
new angle. For starters, we must assume that client devices (e.g., your
Windows machine, your web browser, your mobile device) are vulnerable and
will be hacked eventually. These platforms handle volumes of untrusted data
(incoming emails and websites mostly), and organizations cannot feasibly
prevent users from doing so. How can we protect data regardless of the
disposition of the device itself? How can we keep untrusted devices away
from sensitive data?

Second, we must commit to protecting data end-to-end. Doing so requires
that we not only encrypt data in-transit and at-rest, but that we also
ubiquitously and automatically apply information rights management to keep
documents encrypted and protected at all times.

To summarize, I am proposing:

- That no client computers should ever be on the same network as a data
server. That means no more Windows desktops on the corporate network – at
all, ever. Instead the script should be flipped on its head – applications
should be individually granted access to specific corporate data sources
through a tightly controlled, application-aware proxy into the corporate
network. In this model, application providers must demonstrate the ability
to protect sensitive data on untrusted devices, and IT can select vendors
and applications that demonstrate this capability.
- That all client applications which touch sensitive data must implement an
encryption scheme that is, to the utmost degree possible, immune to
compromise of the client computer. This must be done at the application
layer because the underlying platform cannot be trusted. Hence, full disk
encryption is not good enough.
- Third, that all data must be encrypted with information rights management
(IRM), all the time. That means that when you download a document to your
client computer (whether it comes from an on-premise system or a cloud
system), that document must be protected with an IRM license that allows
you to use that document. When you want to share it, a new, protected copy
of that document must be created that allows those you are sharing with to
access that document.

With these principals as a guide, we can start to outline a solution that
will, at the very least, create a major disruption to the booming business
of cyber theft. This 3-part outline will be the topic of my next few posts.

The current state of cyber security is truly insane. One Equifax should
teach us that lesson. Years and years of increasing frequency of
large-scale data theft reveal that we should have seen Equifax coming a
long time ago. It’s time for a fresh approach to cyber security. As
organizations large and small start to demand a new approach, software
providers will follow suit. Let’s hope that happens soon. We are already
well into 2018, and cyber criminals are draining about 40 billion dollars
from the legitimate economy each month. It’s time to disrupt their business.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180223/e8265aef/attachment.html>

More information about the BreachExchange mailing list