02 Aug Living with Data Leakage – You, too, can avoid revealing security breaches
During a webinar last week hosted by BDNA I told the story of a profitable and growing company that had a major security setback, and the board of directors and executives never found out.
In this particular case, errors were plenty:
- Software and operating systems were out of date and several known vulnerabilities were unpatched.
- Anomalous ex-filtration of packets was routinely identified by the network logs indicating that business data was leaving the safe confines of the network and traversing to parts unknown.
- Internal servers were openly connecting to one another, permitting easy “east-west” movement by unauthorized code and attackers.
- And to top it all off, firewalls had hundreds of rules in place, many of which were more than a decade old and no one still knows why they are there.
This company’s IT infrastructure is under attack and the business’ data is leaking. The vulnerabilities remain steadily exploited, but the business leaders don’t know about it, and likely won’t until the CIO moves on to his next job and his successor permits a thorough assessment.
This true story brings new meaning to the expression “security by obscurity.”
If a tree falls in a forest and no one is around to hear it, does it make a sound?
If business leaders don’t know there is a security problem, is there really a security problem?
Sounds horrifying, but what if I told you it is downright common? While I’ve related one true story of a real company in the Midwestern US, it is a story very similar within thousands of companies, maybe tens of thousands.
The US Department of Commerce collects data about these pervasive cyber security shortcomings and wants to fix the problem. That’s why it chartered the National Institute of Standards and Technology, NIST, to produce the Cyber Security Framework. Following this useful guide, any company of any size may systematically tackle cyber security and progressively improve it. NIST also promotes Baldrige-based performance excellence guidelines that help companies continually to improve each work activity of cyber security (The NIST Cybersecurity Framework has Never Been So Easy to Follow). Together, these two initiatives help every company achieve efficient, effective security, or what I like to call Cyber Maturity.
One of the first steps to take to follow these NIST cybersecurity excellence guidelines, is to inventory assets and map them against known intelligence about each item: its known vulnerabilities; its known performance issues; whether it is licensed and supported; how it interacts with other systems in your infrastructure; etc. During last week’s webinar with the good folks at BDNA, I learned that there are tools to make this easy.
Once you have a contextualized inventory like that, then implementing the rest of the Cyber Security Framework is a straightforward enterprise. Without this sort of inventory of assets, however, cyber security is a ‘best guess” effort and may even end up like our Midwestern example above.