Data breaches are such an anxiety inducer because you never know when they're coming, you're often slow to address them - meaning attackers may have full run of your network before you even know they're there, and you may be unsure, at least initially, what the end goal is.
The intruders may be determined to steal personal information, such as credit card and Social Security numbers, that can be used for identity theft. Maybe they're after a different type of data, like intellectual property, which they can leverage for blackmail. Or perhaps they'll eschew the theft goal altogether and just want to surveil or sabotage your operations.
And when data compromises do happen - and they are an almost virtual certainty - they'll deliver an enormous financial blow in terms of downtime, clean-up, lost productivity and sales, customer attrition and more.
Indeed, data breaches are extravagantly costly and take on many shapes and sizes - but they are all addressable by taking generally similar steps. The guidance below is lifted directly from the 2017 Trustwave Global Security Report, and you will notice while there are some technical advisements sprinkled in, many of the recommendations are pretty obvious.
That's because contrary to what movies depict, cybercriminals don't need to conjure up some elaborate plan to infiltrate a target organization. Oftentimes, the front door is conveniently held open for them through, for instance, an unpatched application or a weak password or an employee who falls for a phishing message.
Here's a reality check for your bosses and stakeholders: You can never create a completely fortified environment because risk is always at play. Patching can take days or weeks at a time and cost a lot of money, strong passwords can be cracked or evaded, and human psychology is such that you can never create a perfectly security-conscious employee.
But you can lower your propensity to be compromised and the damage that hackers can cause once they're inside. You most certainly can reduce your exposure while simultaneously growing your ability to respond and restore faster. You just need to be defiant and smarter. The steps below provide a baseline of what you should be doing.
1) Configure Your Firewalls
- Restrict inbound and outbound access to and from the network.
- Confine inbound access only to those services (open ports) necessary to conduct business.
- Restrict outbound traffic to only trusted sites or IP addresses.
- Prohibit systems connected to a payment processing environment to "surf" the web.
- Do not locate systems that are not part of the payment-processing environment or required to conduct business within the same network segment.
- Audit all firewalls for accessible ports and services.
- Ensure all firewalls are hardware-based and provide stateful packet inspection (SPI) capabilities.
2) Perfect Your Password Policies
- Follow password complexity requirements for all personal computers, servers, firewalls, routers and other network devices.
- Require users to change passwords at least every 90 days.
- Render all passwords either stored or transmitted unreadable using strong encryption.
- Require each user to have a unique account so systems personnel can track activities on a system.
- Avoid using generic or default account names.
- Change all passwords to which the employee had access when they leave the company.
3) Configure Your Systems
- Ensure system-hardening guidelines are in place to address known vulnerabilities and security threats. Base system configuration on industry-standard best practices.
- Configure the operating system (OS) to clear the pagefile.sys upon reboot for Windows environments.
- Configure the OS to disable restore points for Windows environments.
- Ensure there are no unauthorized modifications to systems in the environment (i.e. use of external storage, TrueCrypt volumes, unsupported software).
- Implement a strong change-control process to track all changes made to systems in the environment.
4) Secure Remote Access
- Use two-factor authentication for all remote access into the environment. Two-factor authentication normally is a method requiring something a user knows (password) and something the user has (token, certificate).
- Ensure third-party remote access turns off by default and authorized users only enable it when needed. Third-party remote access must be an on-demand solution.
- Enable auditing and logging for remote access into the environment.
5) Manage Your Patches
- Update the operating system within 30 days of vendor-released security patches/hotfixes.
- Keep applications and plug-ins current with the latest vendor-supplied security patches.
6) Scan for Vulnerabilities Internally and Externally
- Conduct regular external and internal scanning to proactively find and remediate vulnerabilities.
- Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade.
7) Log and Monitor Security Threats
- Configure Windows event logs to capture security, application and system events on all systems.
- Retain logs for at least 90 days on the system and one year offline.
- Conduct a daily review of the logs from all devices. Procedures should be in place for escalations of critical alerts.
- Implement an intrusion detection system (IDS).
- Implement file-integrity monitoring (FIM) software.
8) Remove Any Malware
- Rebuild a system that you suspect does or did contain malware to fully confirm the removal of the threat.
- Ensure anti-virus software is current on all systems and configure it to update virus definitions. Also, ensure there is a valid virus definition license and the software is properly accessing new definitions.
9) Firm Up Your General Security Policies and Procedures
- Conduct employee security awareness training at least annually to educate employees on information security best practices.
- Only use systems that handle sensitive data for business purposes.
- Implement strict monitoring to ensure misuse (i.e. installing computer games or unlicensed software) does not occur.
One of the underlying - but not-so-secret - causes of data breaches is the prolonged security skills shortage facing many organizations. Above, we laid out the fundamentals you should be applying at your business to resist breaches, but the fact is your adversaries are growing more sophisticated, which is necessitating an equally advanced response.
Calling in the outside experts is becoming more of an imperative, both as a proactive measure to help you improve your detection and threat hunting capabilities - particularly on endpoints, where attackers typically establish their initial foothold - and also to aid with incident readiness and response efforts.
Dan Kaplan is manager of online content at Trustwave.