In-Depth
Bridging Security Gaps to Prevent Data Breaches
Today’s cybercriminal is especially aggressive about penetrating networks to gain access to valuable data. We explain what steps you must take now to protect your systems.
by Phillip Lin
Data breaches are sometimes talked about as a single, catastrophic event. In reality, data breaches typically take place over the course of weeks and months, and are a cascade of events that together snowball into the resulting avalanche of compromised records, consumer notifications, and bad press.
It literally starts with just a single infected system on the network. Despite stringent corporate security policies, physical safeguards (such as access controls, data encryption, employee training on passwords and safe data handling), and even compliance with standards such as PCI, data breaches are still taking place on a massive scale. So far in 2009, data breach victims include Network Solutions, Citigroup, Mitsubishi, Heartland Payment Systems, and, of course the ultimate victims, their customers who had their credit card and other personally identifiable information stolen.
Using a variety of attacks -- from the latest Web-based, obfuscated attacks to the tried-and-true social engineering scams -- cybercriminals aim to simply infect a system to establish a foothold in the network. Over time, they tighten their grip on the PC, downloading further payloads (such as root kits) onto those compromised systems. Their goal is as much to siphon data from the infected system as to gather user credentials and the keys necessary to access and decrypt valuable databases.
The aggressiveness of cybercriminals and the sophisticated malware tools they employ poses a serious challenge to any enterprise IT organization. However, there are practices that will enhance the IT security posture of an organization. A holistic perspective to overall network security is necessary to ensure the business can rapidly respond to emerging threats and protect critical data assets.
Steps to Protecting Data
Establishing a baseline overview of the IT security infrastructure is an important first step. Understanding how each piece of the IT security complex is expected to help mitigate data breaches will both highlight the work already done in protecting corporate data assets as well as detail the potential gaps to be prioritized, funded, and closed. For example, endpoint patch management is critical to reducing the attack surface for cybercriminals to exploit. However, endpoint systems are inherently vulnerable, so we must assume that the endpoint software environment can (and will) be disrupted to prevent patch updates or subverted to provide misinformation on its security posture.
Next, customer databases, AAA servers, financial systems, and application servers are clear areas to review for access controls, endpoint security, as well as network-based protections. For example, monitoring the server farm for suspicious outbound communications can highlight potential breach activities.
Users with elevated access privileges are often the weakest link because they use laptops and home systems to access corporate servers. These mobile and remote systems are the most difficult to secure because oftentimes they are not even owned and controlled by the enterprise. Contractors and partners logging into the network via VPN are a clear risk factor for introducing a gap into the network. Specialized network security monitoring for mobile and virtual private networks is critical to identify infected systems accessing the enterprise network.
Too often, management is overly focused on compliance standards without understanding the greater holistic view of corporate IT security. Compliance standards represent generalized, and in many cases, the minimum standard for IT and data security. Heartland and Network Solutions were PCI compliant, yet suffered massive data breaches because undetected malware was stealing transaction data and sending it out to criminal servers.
With an overall view of the enterprise’s IT security posture, IT professionals must discuss progress and justify next steps to mitigate potential data breaches. Data protection is much more than simply encrypting the data and limiting access to key servers. Management must understand that the overall data lifecycle includes addressing the security of systems where data resides (data at rest) as well as the systems that have access to the data.
Combat Cybercriminals Aggressively
Today’s cybercriminal is especially aggressive about penetrating networks to gain access to valuable data. Their malware toolkits constantly probe to exploit vulnerable endpoint systems and take advantage of user innocence. Too often, a data breach begins with just a single infected PC brought into a network from the outside or vulnerable external-facing server. Because these types of infections can evade traditional perimeter defense, and remain stealthy and undetected while traversing internal systems, the prevention of inbound attack must further be complemented by tracking outbound communications.
Modern malware analysis and protection systems can be deployed in conjunction within the security infrastructure to help companies stay alert for signs of intrusions and other suspicious outbound data exfiltration attempts, providing a final layer of a defense-in-depth strategy.
Phillip Lin is the director of marketing at FireEye. You can contact the author at plin@fireeye.com