News struck yet again this week of another data breach. This time around it was an attempt to steal credit card information from the plug-in Shopper Approved that is used by more than 7,000 online stores. I thought it would be a good time to once again ask the question: If your data was stolen, would you know?
In many cases, the fear of having corporate data stolen is twofold. First, there is the obvious fear of what will happen with the stolen information. Second, there is the fear that the rest of the world will know before you do—resulting in brand damage, revenue loss, shareholder issues, and more.
However, with the nefarious nature of these types of breaches, the question revolves around not only mitigation of threats, but also how to know if it’s happened in the first place. The challenge stems from the type of attack that has been launched against you, and there are many. For instance, a breach could have occurred relating to corporate espionage. In these situations, the impact may not be known for months, maybe even years—that is, until you see your IP being sold by a foreign company at a fraction of the price.
Then, of course, we have the so-called Hactivist: those who expose data to the world for socio-political endeavors. These breaches are usually down within 24 hours as they are “announced” to the world to shine a spotlight on the Hactivist’s cause.
And let’s not forget the criminal intent that lies behind stolen information, which is exploitation for profit. This can be anything from financial records such as credit card and customer banking information, to corporate bank accounts being pilfered. In any case, these losses can be both immediate or drawn-out over a prolonged period of time.
So, what is a company to do? Now, obviously the first thing is to set up systems and measures to mitigate risk in the first place. Having a solid perimeter to keep out the bad guys is a good place to start. Then there is the watchful eye of internal security. Having the right systems to monitor employees, mitigate risk against rogue IT, and ensuring that all employees are well versed in what to do (and what not to do) goes a long way.
But that’s not what this is about. This is about monitoring and mitigating risks as they happen. On one side of the equation resides the internet itself—diligently monitoring the outside world for clues that your data might have left the proverbial building. Checking places such as Pastebin—a public posting board of sorts—is one place that many data breaches appear. There are services that can scan these types of sites and can let businesses know whether or not they are appearing in posted documents, and so on.
Then there is the idea that all companies must look within its own walls to identify breaches—and there will be breaches. As a solemn reminder, it was only eight years ago that Debora Plunkett, Director of the National Security Agency’s Information Assurance Directorate, said there is “no such thing as ‘secure’ anymore.” In fact, the Agency now simply accepts that there are hackers already inside the network and works to mitigate risk based on that assumption.
Bad news, right? Not necessarily. First, leverage security analytics tools to look for suspicious behavior. Most likely, that behavior can be spotted using visualization tools. For instance, if your company is like mine, it’s based on process and human habits—ones that remain constant and predictable. Seeing an anomaly isn’t as hard as one might think as “out-of-the-normal” behaviour will stick out like a sore thumb, enabling you to shut it down.
And, finally, don’t underestimate the human factor in all of this. Having experts to monitor your network and look for the bad guys is a good thing: it’s the home-field advantage—taking down the perpetrators within one’s own network is a lot easier than chasing them out into the world post-breach.
In all, there is no such thing as foolproof. But there is such a thing as being savvy enough to know how to look for the fools … the secret here is not to be the fool.