The recent (and perhaps ongoing) Sony breach was certainly one of the worst corporate data breaches we have seen to date. As 2014 draws to a close, no one knows the details with certainty of who the perpetrator was. Even so, it’s undeniable that it’s a breach that will forever change the way Sony does business.
As the year of information security ends in 2014, what does the Sony breach tell us about what will happen in 2015? Here are a few things I think can be said with certainty:
- This was yet another wake-up call – but many will still sleep through it. Home Depot, Target, JPMorgan Chase were but a few of the most major breaches of 2014. Many firms are simply shell-shocked and hope that nothing will happen to them. Information security has had myriad events that promise to bring sea change, quantum change and countless other transformations that many information security professionals are still waiting for. The reality is that too many firms will try to spend the least on security and hope for the best.
- More breaches will occur - be it state-actors, hacktivists, disgruntled employees and the like. There’s no reason to think things will get better in the short-term. The information security infrastructure is porous and decades of poor design can’t be fixed by patching alone. This means more mega-breaches are an inevitability.
- Fixing security and doing it right takes time, money and staff - And if there is anything management dislikes, it’s putting time, money and staff into something perceived as a cash cow. Management often needs things done last quarter to make the financial analysts happy this quarter. Fixing a faulty information security program will take many quarters. Let me reiterate this, there’s no overnight fix here. The only way to possibly accelerate this would be to hire external resources to apply a surge strategy. But that may be unpalatable or unsupportable to many organizations. The alternative is simply getting IT responsibilities out of house, such as to cloud providers. But that also is not a quick fix.
- Buying security hardware and software ≠ having a secure infrastructure - Fixing security and doing it right does not equate with buying lots of hardware and software. Many security hardware and software vendors will see increased sales in 2015, some of it significant. But these may be reactionary purchases, similar to when a new Pixar movie comes out. After a few months, the Toy Story memorabilia gathered dust in dollar stores. So too many of these security purchases may end up as shelfware.
- Firms don’t have a handle on the amount of data they have - Steve Ragan reported that to date more than 230GB of data was leaked by the attackers. Based on that, the attackers likely have over a terabyte of data. The truth be told, it’s not just the amount of data, but what kind of data has been breached. In the Sony breach, it was quantitatively and qualitatively massive -- a perfect storm. Overall, the amount of data stored and the amount of people that have access to that data in a large enterprise is simply too large a beast to effectively control.
What does this mean for 2015?
If the Farmer's Almanac did data breach predictions; then it would certainly forecast 2015 as a devastating year. With that, there is a lot firms can do to weather the storm. Consider the following:
- A good CISO is important; great security architects are critical – while a CISO may get the glory; security architects are what most organizations need. About 95% of the firms in the US are SMBs. These small firms with even smaller IT departments can’t afford to burn an FTE slot on a CISO. They need a security architect or engineer, who can also hopefully provide leadership. The bottom line is that good security design goes a very long way.
- Don’t throw good money after bad - even though management often doesn’t like to spend money on security, it’s important to realize that blindly throwing money and consultants at security problems will result in the very problems noted by Frederick Brooks in The Mythical Man-Month nearly 40 years ago. He observed that adding manpower to a late software project makes it later. Brooks also wrote that when it comes to systems development, there is no one silver bullet. The situations he detailed in the book holds true in information security.
- Use a two-prong approach to information security – follow standard security guidelines combined with a customized risk-based approach, which will ensure your information security program is adapted to mitigate the unique risks your firm faces.
- Hire the best information security team you can afford. Consider this: it doesn’t cost to hire good security people; it pays.
- Consider a plan to retire old data. Significant amounts of old data should be moved to tape. Most firms have far too much data available on-line that can easily be moved off-line.
- Application security – there is a lot that needs to be done in this area. Behind every security vulnerability is an insecure piece of software. Application security has long been neglected at the cost of network security. Firms need to ensure they have a formal program in place for secure applications development and testing.
- Vendor risk – organizations that share data with third-party vendors and/or allow connectivity to their network from third-parties need to have a vendor risk management process to identify and manage vendor access.
About the author: Ben Rothke CISSP (@benrothke) works in the information security field, writes the Security Reading Room blog and is the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill).