If the cyber attack on the US federal government doesn’t get you concerned about enterprise security it should.

Yesterday, we began a discussion on security for enterprises in light of the 4 million personnel records exposed earlier this month. Cyber attackers targeted the Office of Personnel Management (OPM) and may have originated in China.

Today is the second of our two-part series.

The Question

What can enterprises learn from the US federal government data breach?

The Answers

Ryan Barrett, VP, Privacy and Security, Intermedia

Ryan Barrett

As the director of IT, security and privacy at Intermedia, Barrett has more than 10 years of experience in data security and IT leadership. Barrett has been integral in security with enterprises such as Qualys and WebEx where he helped build out the original security program. Currently, he is not only responsible for securing and maintaining the privacy of Intermedia's enterprise cloud service offering, but is responsible for maintaining the efficiency and security of Intermedia's IT infrastructure that leverages enterprise cloud services, alongside Intermedia's enterprise services. Tweet to Ryan Barrett

Yes. The OPM and recent Anthem data breaches are opening up to more social engineering attacks. With these recent massive breaches, many people are left wondering if their data/personal information has been exposed. Users are left in a “am I or aren’t I?’ scenario. This creates an opening for attackers to exploit.

Attackers may in turn try to send email in regards to the “recent attack” asking users to verify information. Since these users are already heightened to the breach, they may be more inclined to provide that information (i.e. click here for free credit monitoring, etc).

Good filtering tools can help, but they won’t save you.

We are living in a very dangerous time for cyber attacks. The technology is not equipped to handle some of these more sophisticated attacks.

At the end of the day it all comes down to human awareness.

Amrit Williams, CTO, CloudPassage

amrit williams

Williams has more than 20 years of experience in information security and is currently the chief technology officer of CloudPassage. He has held a variety of engineering, management and consulting positions prior to joining CloudPassage. Previously, Williams was the director of emerging security technologies and CTO for mobile computing at IBM, which acquired BigFix, an enterprise systems and security management company where Williams was CTO. Before BigFix, Williams was a research director in the Information Security and Risk Research Practice at Gartner, Inc. where he covered vulnerability and threat management, network security, security information and event management, risk management and secure application development. Tweet to Amrit Williams

The short answer is, without question, yes. The majority of external breaches are enabled due to issues that all organizations have control over; for example, lack of visibility into or not attempting to resolve misconfigured or vulnerable systems.

Additionally almost 100 percent of external breaches use valid credentials, so it is imperative that organizations implement the concept of least privileged access and monitor all user activity, especially with confidential data, which absolutely must be encrypted when at rest and in motion. But even with some of the best defensive and preventative controls, the reality is that all organizations may face a determined advisory that will gain access to critical data and systems. This is where organizations need to invest in compromise management, incident response and forensic solutions to quickly identify policy violations, misuse and compromise.

While there is no guarantee that this breach wouldn’t have occurred, it is painfully clear that OPM suffered from a lack of many of these basic security controls and principles. According to some reports they didn’t even have an IT security team until 2013 and even then they lacked basic security measures such as data encryption.

The goal of security will never be to entirely eliminate all threats. The goal is to limit the potential for a successful compromise and when one does occur to limit the impact on the organization. It's about resiliency in the face of aggressive adversaries. Unfortunately against the backdrop of an increasingly hostile threat environment, adoption of new technologies, such as cloud infrastructure, challenge traditional security solutions. The reality is: we now face highly-skilled, well-funded nation-state adversaries and all organizations must realize that the threat is real and the impact of a breach will be devastating.

Vaughan Emery, CEO, CENTRI Technology

Emery founded CENTRI in January 2009 with a vision to deliver technology that helps data networks perform smarter and more efficiently. Emery’s career spans more than 20 years in leadership roles of early-stage companies. Before founding CENTRI, he founded Flytrap Security, a mobile security technology company, which developed an advanced malware security solution for mobile phones and embedded devices. Tweet to Vaughan Emery

While the latest cyberattack against US Government agencies is making national headlines due to its scope and depth, enterprises are just as, if not more, susceptible to persistent threats from hackers as the world has grown even more connected. 

Organizations of all levels from governments to enterprises to small businesses are facing new challenges in data protection, as traditional security solutions – such as corporate firewalls and intrusion detection systems – are showing their age and failing to provide adequate protection of corporate and personal information. These systems are often the first line of defense against hackers, yet are relatively easy for sophisticated hackers to eventually bypass.

Once on the inside, hackers typically have full access to any data that has not been encrypted. Therefore, enterprises must adopt an “encrypt everything” policy that takes a more holistic view of data protection. By encrypting data both in transit and at rest, enterprises add another layer of security that protects even when hackers are able to infiltrate the network.

According to a recent Ponemon Institute study, the average consolidated total cost of a data breach is $3.8 million, which shows the serious repercussions of these attacks. Data protection should be a priority for every corporate executive, as enterprises can no longer sit idle in their security measures. A strong multi-pronged approach to security is needed that not only protects against hackers entering the network, but also encrypts data throughout. 

Haiyan Song, SVP, Security Markets, Splunk

haiyan song

Song has been with Splunk since 2014 and currently serves as senior vice president for security markets. From 2012 to 2014, Song served as vice president and general manager of HP ArcSight, a security and compliance management company previously acquired by Hewlett-Packard Company. From 2005 to 2012, Song served as vice president of engineering at ArcSight. She previously served as vice president of engineering at SenSage, an event data warehousing company, from 2004 to 2005. Song started her career at IBM/Informix, a database software company.

Attackers can definitely infiltrate commercial systems like they did at the Office of Personnel Management, and there are several recent cases of them doing exactly that.

When attackers have access to personally identifiable information, they can create more targeted spear phishing emails using legitimate information -- making the threat even more real than it already is. Once they have system access, attackers can access even more networks, systems and information. To mitigate this risk, security teams should conduct regular user identity audits to understand which users are accessing critical systems during what times. After all, while outside threats pose obvious risks, enterprises must be just as aware of the potential for threats from the inside.

With proper auditing and tracking of user behavior, security teams can spot red flags by tracking new and unique processes being run on a system and by tracking new and unique users accessing a system. Once familiar with a user’s regular (normal) activity pattern, IT teams can spot abnormal or potentially threatening behavior. When monitoring systems, IT should also note when a new registry entry or process is made on a system and when a system begins communicating to external locations, especially a potentially dangerous one.

Proactive monitoring of internal assets, combined with threat intelligence, gives context to these events and allows security teams to quickly detect potential breach very early.