Businesses are generating and storing great volumes of data using numerous platforms: desktops, laptops, servers, cloud servers, archiving appliances, external storage devices, websites and more. Charlie Platt explains how iDiscovery Solutions advises clients from both the prevent and protect side as well as incident response. His remarks have been edited for length and style.
MCC: Tremendous amounts of data are produced by businesses today, in a variety of forms from multiple sources. Employees are using personal devices and email, as well as other digital accounts, to communicate and store information. How can businesses assess their vulnerabilities and protect their data, whether at rest or in motion? How can they ensure that they can identify a data breach or network incident and do so quickly?
Platt: It’s important to keep in mind that there is no one-size-fits-all solution to cybersecurity and that no solution can guarantee 100 percent effectiveness. With that in mind, some of the best ways to address the issue are non-technical in nature. For example, education, policies and culture can have a more significant impact on the security of your organization than a large purchase of software or hardware.
I’m not saying that technology is not part of the solution; it absolutely is. However, technology is just one part of a multifaceted solution and if we don’t address the other facets, no amount of technology can account for the shortfall. Case in point, Target. Target, according to their own press release post-breach, had spent hundreds of millions on cyber defense, and yet it was a failure in policy and culture that ultimately led to the breach.
To be more specific to your question, before we can assess our vulnerabilities and develop defenses, we need to understand our systems and our data. What are we defending and why are we defending it? Are we putting as much effort into defending the office roster as we are confidential business information? Is our data properly segregated or is it all collocated, mingled and unmanaged? Does anyone with access to one piece have access to all pieces?
You’d be surprised by how many organizations set up private and secure network storage locations for employees, but the employees all use a common shared network location to which everyone has full access. They do this because it solves a business need, is cost effective and gets the job done quickly and efficiently. It’s also exceptionally bad from a cybersecurity viewpoint. I’ve seen this at sites where unmanaged network shares hold data going back to the early 2000s and beyond. All staff have full access to all data. When employees leave, the data remains and accumulates over time. No one knows what is out there and what might be considered PII or confidential, or who is accessing what data. This is not really a technology problem, but rather an educational and cultural one. The trick is to make sure to address the business need at the same time we solve the security hole; otherwise it will just pop up somewhere else.
MCC: These days, the common wisdom seems to be that a data breach is inevitable – a matter of when, not whether. Some say protecting the perimeter is a strategy destined to fail. How can businesses best prepare themselves for when that day arrives? Who are the key players who should be involved in planning and responding to such an incident?
Platt: I’ve heard the argument that given enough time and persistence, an attack will be successful. While I tend to agree, I think that’s only half the picture. What we are leaving unsaid is the level of success achieved by the attack. Simply because someone is successful in breaching the perimeter doesn’t mean they are successful at breaching critical or sensitive information. We need to stop thinking about security as a one-stop perimeter defense and start thinking on a more compartmentalized basis.
This means we need to defend ourselves in a manner where a successful perimeter breach gives the attacker minimal access and presents them with a whole new defensive surface. In essence, once they’ve breached the first line, they are faced with having to repeat that success again and again before being able to access anything of importance. All of this secondary attack activity is occurring within our perimeter, which makes it easier for us to detect and address. It also allows us to apply higher levels of resources (budget, technology and staff) to defend critical areas.
Who are the key players? C-suite executives and the company’s board. The board needs to address cybersecurity as a strategic priority and should have a cybersecurity committee devoted to the topic. The executive suite needs to embrace security and not sidestep it. Their demeanor will set the tone for the entire organization.
Once leadership is on board, the key players involved in drafting a response protocol should include IT, information security, inside and outside counsel, and the various business units. Outside consultants can also be of great assistance in developing a response plan, but the authority and the final responsibility needs to reside within the organization. This responsible party does not necessarily need to be an IT professional, but does need to have a vested interest in the security of the organization – with the authority and backing of senior leadership to make changes and implement policy.
IT and information security are fairly obvious needs. Inside and outside counsel are needed to provide guidance and understanding of compliance and regulatory needs, as well as help maintain privilege and confidentiality of sensitive conversations. What is often lacking, yet absolutely critical, are the business units. They need to be included in developing incident response plans because they are the ones who not only know the data, but understand its business importance. They are key to developing solutions that work and can realistically be implemented.
As a simple example: locking down USB ports so that thumb drives and auto-launch no longer operate might be a valid and appropriate solution to a cybersecurity problem. However, an organization might very well see a dramatic rise in use of cloud based storage, such as Dropbox and Google Drive, as a result of that action. So, we have just replaced one exposure with another exposure. If we had included the business units up front, we may have understood that private ad hoc file sharing between devices is a critical need and, along with our lockdown, provided a secure alternative to USB drives.
MCC: There is a great deal of talk about “incident response plans.” How can businesses ensure that their team can develop and execute such plans when data is so voluminous and varied?
Platt: Like in many problems viewed as a whole, it can appear daunting and insurmountable. However, if we break it down into constituent parts and start addressing individual pieces, before we know it we’ve achieved our goals. A good start is to document and understand your IT systems. Then, create a risk map of those systems, asking questions about each: Does it contain PII? Does it transfer data in and out of the organization? Does it use encryption at rest? Is it business critical? Get a sense of where you need to act so you can target your approach to the highest need.
MCC: Are there any case studies you can point out to our readers that would illustrate best practices or lessons to learn from a data breach or network incident?
Platt: I’m not sold on case studies as much as a handful of industry documents that I rely on. First to mind is NIST’s “Framework for Improving Critical Infrastructure Cybersecurity.” This does a great job of pulling together many of the risk areas involved and provides, as the name implies, a coherent framework for developing cybersecurity policy and procedures. Second is NIST Special Publication 800-30, “Guide for Conducting Risk Assessments – Information Security.”
These can be a bit dense for non-security professionals. A bit more accessible is Alien Vault’s “Insider’s Guide to Incident Response.” It really provides a good overview for a non-security professional and acts as a great high-level guide for professionals.
Another favorite is Verizon’s annual “Data Breach Investigations Report.” This contains a great overview of the current state and what is really occurring as it relates to industry and attacks.
MCC: How do businesses know when they should report a data breach or network incident to government enforcement officials? What are the protocols for such an incident?
Platt: One of the first items in your incident response plan should read, “Contact Outside Counsel.” Outside counsel absolutely needs to be involved in incident response, both in planning and in execution.
The protocol can vary based on the organization and the type of data involved. Organizations need to clearly identify their data, understand the regulations and compliance to which they are subject and clearly spell out the relevant reporting requirements – including how they will comply in any given situation.
In many cases, we find that while data may have been exposed, there is no evidence of actual breach or access to the data. Various organizations choose to respond to that scenario differently. Some favor reporting with the sense that sharing information can benefit the overall community, while others feel that sharing when not required can damage their reputation and brand, or even encourage future attacks. The important thing is to make these decisions prior to the event, with a calm mind and advice from counsel, rather than trying to make a critical decision under the pressure and deadlines associated with reporting.
MCC: When you are working with clients, what keeps you up at night? What are the risk factors that may be off the radar for most businesses?
Platt: From a small business viewpoint, the two things that scare me the most today are Cryptoware and some of the new multi-pronged “whale” and “spear” phishing attacks.
What keeps me awake at night is a looming shift in focus. When we think about cybersecurity today, we generally think about either confidentiality or availability. Confidentiality: has someone had inappropriate access to read my private information? Availability: has someone been able to prevent me or my customers from accessing systems or data? From breaches of our private data (e.g. PII, HIPPA, CBI) to attacks designed to deny access (e.g. DDoS and Cryptoware), confidentiality and availability have been a core focus of cybersecurity in the recent past.
In the future, I see integrity moving to the forefront. The question will not be, ‘Has someone seen my private health information?’ but instead, ‘Has someone altered my private health information?’ As we become more and more reliant upon these systems as final authorities, we become much more vulnerable to alterations in that data – the subtler the alteration, the scarier. Consider the business data that you rely on daily to operate your business. Now consider that someone has had access to maliciously alter that data for the past month, the past quarter, the past year, and you’ve been relying on it to make critical business decisions. Would that keep you awake at night?
Charlie Platt, Senior managing consultant at iDiscovery Solutions. firstname.lastname@example.org