Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

11/13/2019
01:00 PM
Ariel Zeitlin
Ariel Zeitlin
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Breaches Are Inevitable, So Embrace the Chaos

Avoid sinking security with principles of shipbuilding known since the 15th century.

If you consider cybersecurity breaches to be the "new normal," you're in good company. A recent survey conducted by Kaspersky Lab revealed that 86% of 250 top security officials who participated believe that cybersecurity breaches are inevitable. The complexity of today's cyber environments guarantees that every company is on a path to a breach. Cloud adoption that leads to hybrid environments spread across different locations and teams, the use of containers, a permeable perimeter — all these factors broaden the attack surface and challenge our existing approach to managing threats.

Shipbuilders Expect Failure and Plan for It, and You Should Too
The security industry clearly could be doing more regarding breach management. Though we spend billions of dollars and likely prevent lots of bad stuff, the number of high-profile breaches causing devastating damage is constantly increasing and, with it, the exponential growth of exposed records and sensitive customer data. And why? Because unlike other industries, we fail to plan for failure.

Take shipbuilding, for example. Shipbuilders have engineered their systems for failure by, among other things, segmenting the hulls of their ships and limiting access to the ship's engine room to contain damage if a breach happens. It's been done this way since the 15th century, and it's still being done in today's modern vessels. The lessons learned from shipbuilders can be applied to modern IT security. Here are a few security principles that reflect this:

  1. Shipbuilders assume that at some point the ship will suffer a leak, and so they create hulls that prevent a single leak from sinking the entire ship. In the same way, assume a breach in your corporate environment and segment your network. This way, if there's malware in the testing environment, other sensitive environments such as development, production, and the DMZ won't be affected. Lack of segmentation allows attackers to move with ease to critical areas once they make it through the perimeter, much the same way water would flow throughout the entire ship if the hull wasn't segmented.
  2. Staff responsible for maintaining the ship's hull monitor for leaks or weak points patch regularly to keep precious cargo and crew safe. In the same way, modern security teams must be vigilant about monitoring and patching to prevent proverbial cracks in the perimeter and potentially bigger problems.
  3. The ship's most sensitive tools are hosted in the engine room. To protect your crown jewels, fence your critical IT assets to make sure they are not damaged in case of a network breach.
  4. Consider ships that staff their lookouts 24/7 in order to keep a watch on everything, and direct course correction if necessary. Similarly, think about maintaining complete visibility throughout the entire data center down to the application level. Gaining visibility of an increasingly complex and dynamic ecosystem is a must before you can "change course" or put any policy or controls into place.
  5. Keeping the crew from accessing the ship's bridge is an important safety measure. Likewise, in the cyber world we advise that you base your policy on user identity to ensure that your employees, contractors, and remote users access only what they're entitled to. The result is greater security for your business-critical applications that can be accessed only by authorized users.

In the past two years alone, there have been several examples that point to a lack of visibility and segmentation as the No. 1 cause for large-scale breaches. With a breach of the scale of Equifax — one of the largest cyberattacks of all time, affecting 148 million consumers in 2017 — the US House of Representatives Committee on Oversight and Government Reform report on the breach mentions "the company's failure to implement basic security protocols, including file integrity monitoring and network segmentation" as an insight into how Equifax "allowed attackers to access and remove large amounts of data."

Equifax's lack of a well-implemented segmentation strategy allowed attackers to gain access to dozens of databases that contained personally identifiable information in an attack that lasted over 75 days. WannaCry, the largest malware infection in history, could have also been better contained if companies had patched their systems against the MS10-010 vulnerability that allowed its exploitation. Recall, however, that with WannaCry, organizations didn't realize they had a vulnerability that needed patching or were unable to do so. Even without patching, had network segmentation been deployed, affected organizations would have been able to enforce security policies and prevent the worm from moving laterally across their environments. 

Anticipate the Breach. Patch. Segment.
With threats at the scale of Equifax and WannaCry, it would be easy to assume that the attackers used a complex attack pattern or took advantage of a new vulnerability that flew under the radar. Yet these attacks were made possible by unpatched systems and the lack of network segmentation. By embracing the chaos to come and anticipating attacks that can be stopped by network segmentation and better visibility into the data center, businesses are less likely to be sunk by a breach and can ensure the longevity of their company. 

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Account Fraud Harder to Detect as Criminals Move from Bots to 'Sweat Shops'."

Ariel Zeitlin co-founded Guardicore after spending 11 years as a cybersecurity engineer and researcher at the Israeli Defense Forces (IDF), where he worked closely with co-founder Pavel Gurvich. In his last position at the IDF, Ariel led a team of 30 engineers and researchers ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AndrewfOP
50%
50%
AndrewfOP,
User Rank: Moderator
11/15/2019 | 10:34:34 AM
User and Network policies vs. Password and MFI
"... base your policy on user identity ... file integrity monitoring and network segmentation"

This is what I have been saying forever. Blaming user for not using passwords properly, especially incessant password changes, is a poor excuse for running an IT system. Without properly segmentation of systems and a bird's-eye-view monitoring of users' activities, no amount of password changes or multi-factor identification would secure the critical IT infrastructure.
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.
CVE-2019-19230
PUBLISHED: 2019-12-09
An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.