Cyberattacks have been steadily rising. Some of the most sophisticated computer security systems in the world — from corporations, critical infrastructure and confidential government networks — have been successfully breached. According to a recent Tripwire survey conducted at Black Hat 2015, nearly two-thirds of information security professionals (64 percent) believe their organizations are potential targets for nation-state cyberattacks. In addition, 86 percent of the respondents have seen an increase in targeted attacks directed at their networks over the last year.
Additionally, successful cyberattacks can take months to discover. According to Mandiant’s M-Trends 2015 report, the average time required to detect an advanced persistent threat on a corporate network is 205 days, and in the 2015 Data Breach Investigations Report, Verizon reported that 66 percent of cyberattacks took months to detect.
What should you do about all of this? Your organization could be the victim of a cyberattack at any moment, so it’s absolutely necessary to have a plan and prepare before an attack begins. Here are some steps enterprises should take now to anticipate and better prepare for the future.
- Create and maintain a complete, accurate inventory of all hardware and software assets on your network. As part of this exercise, clearly identify which systems house sensitive business data. This is important because you must know what you have to ensure you are protecting and monitoring things appropriately, as well as identifying rogue devices that are present on your network. Many organizations do not have an accurate, up-to-date inventory of all the devices on their networks.
- Create and maintain a plan to harvest and analyze data from critical systems on a regular basis. Make sure this plan is feasible, which generally means automating the tasks. If the process is difficult or error-prone, it won’t add value. It is important to have timely and accurate information about the state of your infrastructure.
- Organize your network and your data to minimize what you’ll lose if you’re the victim of a breach. One of the most common issues in a data breach is that once attackers gain access to an organization’s network, they can move around to other parts of the network easily. By segregating valuable data and systems from the rest of the network, you minimize the likelihood attackers can gain access to important data from unimportant systems.
- Know how to isolate or remove suspicious systems from the network environment. Once you’ve identified that a system has been compromised, it is important to be able to remove it from the environment and replace it with a trusted system quickly. This must be done without re-introducing a previous vulnerability – if you can’t master this, you’ll end up getting hacked in the same way over and over again.
- Develop quarantine controls to prevent a potentially compromised system from infecting other systems. Once a system displays signs of compromise, it is important to contain it so an attacker cannot reach out and attack other systems on the network; otherwise, the attackers will be able to move freely across your network.
- Determine your most critical data assets and look for ways to make them less valuable to an attacker if they are compromised or taken (such as through encryption or data segmentation). This way, if someone is able to move your data out of the environment, they will find that it is unusable.
- Have the ability to change all user credentials on all production systems quickly and efficiently. This way, if you suspect a user’s account is compromised you can disable old passwords quickly and keep these accounts from being abused.
- Understand the security risks associated with third-party partners and contractors. Although you trust many of your business partners, it’s important to verify their security practices. Suppliers who are connected to your network can be an easy path into your enterprise – for example, attackers in the Target breach were able to get in through a supplier’s network.
- Work with your legal and PR teams to develop a comprehensive communications plan to keep key customers and stakeholders informed should a breach occur. You want trusted partners and suppliers to hear about a breach from you first – not from the media.
While the investment in these security controls and business processes may seem excessive given your resource constraints, this investment may be the key factor in minimizing the damage should a catastrophic breach occur.
One other key consideration: cyber security is not a one-size-fits-all proposition. The best security strategies start with a pragmatic assessment of risk to the business. It is important for you to agree on the risks that could cause the most harm to your business, and then align your efforts, resources, and attention with those risks.
As I always say, “The shape of your investment in security should match the shape of your risk.” That maxim holds true regardless of the size of your business or security budget.
Dwayne Melancon is Tripwire’s chief technology officer and is an expert in cybersecurity. He holds both CISA and ITIL certifications, and is a member of the Information Systems Audit and Control Association (ISACA), the Institute of Internal Auditors (IIA), the Information Systems Security Association (ISSA), and IT Service Management Forum (itSMF). Dwayne’s commentary has been featured regularly in publications such as the Associated Press, BBC News, Forbes and The Guardian; and he has been interviewed on Fox News and NPR’s All Things Considered. Dwayne regularly coaches Fortune 500 CISOs and CIOs on how to effectively communicate cybersecurity risks to the board room and the C-Suite.