I am sure all of you remember Data Theft from Home Depot, Target and OPM. This is just a short list. These organizations have fully mature IT security organizations. What do you think they were doing wrong to allow such intrusions?
We may have "fully mature" security in place, but if leanings and change in the way we tackle cyber-attacks is governed by actual exploits, certainly there is something wrong.
1. Responsibility. Like Home Depot, Target and OPM, we might be able to handover bad name after an incident to a vendor, but actual loss will not be recovered. For example in case of OPM, multiple applications used shared resources, if OPM had proper infrastructure in place, when one system is hacked, it would have stopped there. Same is the case with Home Depot and Target; boundaries of access were not clearly defined. All resources and information must have been given clear category and classification in all the cases.
2. Weakest link in line of defense defines how much secure we are, say in case of OPM, security information and event management partially covered monitoring of the key components. OPM allowed users to gain access without two factor authentication at some places, at others it was implemented.
3. it’s not always possible to build the whole ship in-house and assume that it won't fail. On the other hand security is not something for which we could pay from Organization's budget, make our own personal benefit and get rid of on papers. We need services from third parties and this must not be the weak link, now to endorse a third party vendor and his services/ products, holistic processes and expertise must be attained by us. Say in case of Target, they are blaming the air conditioner firm, but who brought them in? Was target not concerned at all, they might be vulnerable to attacks.
4. We may not be termed as a secured IT organization, by only putting guidelines and secured architectures on paper, what does matter also, how well they are followed. For example in case of OPM, the vulnerabilities exploited, it was not like, they were never aware of anything at all, many loop holes were present since many years and reported, but no action taken. Reason, mentality of being lazy: the system is still running, will see later, ignore the warnings.
5. Spend Wisely. Gaining a shield against hackers may not be cheaper or one time investments, we must have to constantly involved in penetration testing and be aware of where the technology is moving, opening new secret doors for intruders. It will also need constant expenditure on hiring right talent and spending on upgrading skills of existing employee. Does this means, if we have a budget for security testing and we outsource it to same vendor, who will copy paste what he found during last cycle and we are done and my part of bribe is 100% sure ? No, findings must be given a value in terms of loss that might occur and fixed well in time. To get deeper analysis, we might also rotate third party vendors who do security testing.
6. How about vulnerabilities found by penetration testing vendors getting leaked to hackers, this is one of the nightmares which OPM may have experienced. Here comes the smartness of decision maker, how to tackle it. Involving too less employees in this activity of reviews might mean meager reviews and the right eyes being closed with lid of $'s. Involving too many may itself introduce vulnerabilities and risk to organization as a whole. Well said that 8th layer might be the weakest layer.
7. Fearless and full of doubts. Based on vulnerabilities reports, rebuilding the whole system sometimes might be advisable with some extra expenditure, than to keep on patching old unsecured system.