What providers can learn from 2016’s security incidents
Cue the year-end articles saying that this was the worst year to date for data breaches. Follow that with more dire predictions for 2017. Layer in one-size-fits-all recommendations to mitigate these risks. And finish with technology solutions that you must have.
If you read all of this you might come away thinking that if your company is not using AI and machine learning, buying threat intelligence, building a threat-hunting team, installing a next-generation antivirus solution, deploying an endpoint product and reducing your attack surface, all of those bears people talk about outrunning may already be in your network.
It is true that there were a lot of incidents disclosed in 2016, and for the first time an incident reportedly affected 1 billion accounts. There are core steps most organizations can take to mitigate risk and be prepared to respond when an incident is detected. And depending on the organization’s risk profile, you may be implementing all of those security measures. But the many years spent responding to security incidents reveal several constants:
- Whether you have “next-gen” security or little security, unskilled, semiskilled and skilled attackers usually still find a way in.
- Regardless of the sophistication of the security of a network, one of the reasons attackers still find a way in is that networks are built and maintained by people (your people and your vendors’ people), and people are fallible—people make mistakes, people get phished, and people get socially engineered.
- Most incidents are not the result of a sophisticated, never-before-seen, unpreventable attack.
After the incident is investigated and the incident response team is looking back for lessons learned, it is not uncommon for the lessons to include:
- Paying better attention to basic security measures would have prevented the issue.
- Realizing that the network environment is not uniform, there are data and devices that were not known by the security team, there are third parties with access that were not known or that were established without using the approved remote access solution, and over time, exceptions and work-arounds have been created.
- Having more verbose logging for a longer period of time that can be accessed from a central source would have enabled the analysis of what occurred to be more precise.
- Acknowledging that trust but verify is important (e.g., if someone says a network is segmented, check the ACLs and firewall rules to confirm this).
- Knowing that you can have great security tools and generate terabytes of logs, but someone has to review the logs.
- Determining that assumptions about a vendor’s role in maintaining and managing the security of the service it is offeringmay have been wrong.
- Deciding that delegating responsibility for security to IT or the security team is insufficient – it takes an enterprise-wide approach to address this enterprise risk.
- Identifying a forensic firm before the incident, negotiating the terms of a master services agreement in advance, and then meeting with that firm to discuss how it will investigate and what data is needed would have facilitated a faster response, investigation, containment and final analysis.
While most of the security incident disclosures in 2016 related to theft of data, the surge of ransomware and emergence of denial-of-service tools fueled by compromised IOT devices demonstrate that maintaining operational resiliency is equally as important as preventing data theft.
The 10-K cyber risk disclosures of many public companies state that the company relies on technology to operate its business and a failure of that technology could have a material impact. Despite those statements, many organizations that have focused primarily on preventing data theft are now addressing: (1) whether their critical operating systems are as well-guarded as systems that interact with sensitive data; (2) what backup capabilities and procedures are in place in the event of a widespread outbreak of ransomware; (3) in anticipation of facing a ransom or cyber-extortion scenario, whether the company should establish and fund a bitcoin wallet; and (4) what denial-of-service mitigation solutions are in place.
For healthcare organizations, cybersecurity initiatives have to take the following three factors into account:
- During the incident response, it is critical for healthcare organizations to consult counsel who has defended multiple OCR investigations so that the organization can build in defense strategy and begin to identify relevant information for the coming OCR investigation that will follow after OCR receives the breach notification.
- All organizations, but particularly healthcare, should include ransomware events in their breach planning exercises and incident response plans. Considerations include having backups available, whether the organization would pay a ransom demand, and whether the organization should establish and fund a Bitcoin wallet in advance to be prepared to pay a ransom demand.
- Healthcare organizations and other companies who collect information in addition to SSNs, should consider identity monitoring products in advance so that securing the services is streamlined during an incident response.