Make 2015 a Breach-Free Year

With 2014 drawing to a close and the New Year almost upon us, it’s the perfect time to reflect on this year’s security events and to plan for changes in 2015. Certainly 2014 seemed like the year of the security breach, with major retailer breaches, Heartbleed, Shellshock, and Sony dominating the headlines. With over 7000 vulnerability reports published in the National Vulnerability Database so far this year, it would be too easy to become inured to the daily data security news. But breach fatigue cannot lapse into complacency. Continual vigilance is a necessity; there are always more security measures and safeguards to implement for stronger protection.

What are you planning to do to harden your 2015 security program? Are you buying a new tool? Hiring a security analyst? Validating PCI security? Adopting a new security policy?

Most breaches occur as a result of human error

Whatever your resolutions are, consider this: most breaches occur as a result of human error. A recent study in the UK reveals that a whopping 93% of data breaches in 2014 resulted from human error, not technical weaknesses. The UK findings align with a global trend identified earlier by Symantec and the Ponemon Institute, that 64% of breaches resulted from human errors and system problems. That includes accidentally losing personal data, erroneously disclosing confidential information, following processes that were poorly designed, transferring data outside the organization, and mishandling sensitive data.  Clearly, changes should be considered for implementing and enforcing better policies, procedures, and employee education – changes that don’t even require cash outlays.

Our Tenable experts have several suggestions to consider for your 2015 Security Resolutions list. Most of these resolutions don’t require major financial investments, but they do require a commitment to best practices, employee buy-in to a strong security policy, and daily vigilance.

Craig Shumard voices the one resolution that we would all like to see come true:

NO security breaches of personally identifiable information in 2015, no major breach, or at least no major embarrassing breach

Given the improbability of that coming true, Craig advises that your next resolution should be:

Reduce the timeline. Reduce the time to detect a security breach and to recover from a security breach. The best methods for achieving that goal are to:

• Strengthen continuous monitoring capabilities
• Improve spot-on intelligence or detection capabilities
• Improve incident response capabilities

For Ken Bechtel, the key to success in 2015 is baselining the normal:

Baseline the normal. Learn what normal looks like.  Make a resolution to know your network, not just the architecture, but both the inbound and outbound flows. Learn how your customers use the network (business units and individuals). Get this baseline so you can trigger on anything abnormal.

Conduct regular risk assessments. Once you know what is normal, do a risk assessment, and make it an ongoing practice.  Find out where your gaps of visibility are. Is there a segment or devices you don’t have visibility into? If so, determine how you are going to gain visibility. If you don’t know what’s out there, you don’t know what evil may lurk on your network.  The more you know, the more you’re protected.

Educate yourself not just on current activities but also on historical events; computer security is circular.  For example, Macro Viruses in MS Office is making a comeback. Find out how re-emergent threats were defended against in the past and implement a plan to “head it off at the pass” this time around.

After reading about 2015 predictions for the cybersecurity environment in The Invisible Becomes Visible: Trend Micro Security Predictions for 2015 and Beyond, Jeff Man recommends several countermeasures against the expected increase in cyber attacks:

Continuously monitor your network. As cyber crime expands, continuous network monitoring is essential to uncover and thwart the latest threats.

Keep patching. Some of the biggest vulnerabilities of 2014 were in open source platforms. Updating and patching are your best defenses for staying ahead of the next attack.

Implement two-factor authentication. This is particularly important in the financial industry where weak security is not an option.

PCI Security. If you are a retailer or payment card provider, your PCI compliance should be updated to the 4th edition.

Marcus Ranum advises to keep your sense of humor while doing the right thing:

Design systems and software first, then implement. If you implement first, treat it as an experiment, to be eventually replaced with a designed solution.

Do not spend money on unreliable software. There is nothing redeemable about unreliable software; it has no place in your network.

Remember that V1.0 of almost anything is unreliable.

If you are upgrading your security plan, complying with an industry-specific standard, or thinking of implementing any of these resolutions, David Schreiber has compiled a list of provocative reading materials to help justify your program. Visit the Tenable 2015 Resolutions landing page for inspiration.

And from everyone on the Tenable team, may your holidays be safe and secure!