Schwartz On Security: First, Know You've Been Breached

Spain's national aeronautics institute found three Mariposa botnet infections on internal PCs, thanks to constant testing. But when it comes to breaches, many organizations still have their heads in the sand.

Mathew J. Schwartz, Contributor

January 5, 2011

4 Min Read

Until a security incident or data breach gets discovered, does it really exist? The non-existential answer is: of course. And the longer it goes undetected, the greater the potential damage.

One 2010 study found that 41% of organizations can't determine how frequently they're targeted by advanced attacks, and half of organizations take at least a month to detect such attacks.

Likewise, the data breach list maintained by the Identity Theft Resource Center (ITRC) lists numerous breaches that have an estimated start date, sometimes months or even a year prior to an organization publicly declaring that the breach occurred. Half of all organizations involved in known 2010 data breaches also didn't disclose the attack vector or number of affected records. Perhaps they simply don't know the answers.

So as it comes time to make, break, or pursue resolutions for the new year, let's set one for information security. Rather than obsessing over which security technologies are in play, why not ask bigger questions: How do we know when we've been breached, and can we trace the attack back to prevent it from happening again?

One lesson comes from INTA, Spain's national aeronautics institute, where 1,600 scientists demand easy access to information, not to mention WebEx, unencumbered by security policies. How do you secure that environment -- and enforce security policies -- while not strangling people's ability to locate essential information or collaborate?

It's a difficult environment to secure. "They are working with a lot of top secret information," said Jesus Garrido Antonio, INTA's head of information security, speaking this past autumn at an event hosted by Palo Alto Networks. Furthermore, top secret data, such as the range of the Meteor air-to-air missile project, may involve just two numbers. How do you secure that? Antonio's answer is to provide more layered security, find ways of cross referencing what's happening with what isn't happening, and regularly test, compare, and contrast the latest technology. "You need to have one leg in back and one in front," he said, "because hackers are always trying something new."

Overlapping technology helps discover problems that a standalone approach may have missed. For example, in September 2010, INTA began testing three new types of firewalls, including a Palo Alto next-generation firewall. On the first day, that firewall flagged three Mariposa botnet infections running on internal PCs, despite the fact that INTA had deployed antivirus engines on all of its PCs and used intrusion detection and prevention systems on its enterprise networks.

The security team traced the problem to three PCs, running Windows 2000, used to manage warehouse inventory. While the PCs didn't store sensitive information, the infection was still troubling. How had Mariposa infiltrated the enterprise, and why were these PCs still running the old Microsoft operating system? Ultimately, the security team discovered that it had supplied three brand new PCs to replace those old warehouse PCs, but warehouse managers diverted the new PCs to become their new desktops. Meanwhile, the Windows 2000 machines remained in place, essentially off of the security grid.

The lesson: Never assume that just because a security tool isn't flagging a problem, that a problem doesn't exist and someone isn't trying to exploit it. Of course, behaviorally speaking, we tend to do the opposite – we overestimate the likelihood of good outcomes and underestimate the likelihood of bad ones. Behavioral scientists even have a name for this tendency, optimism bias, or the positivity illusion.

How can people combat this tendency? The answer, generally speaking, is to use more automated mechanisms that reduce the need for subjective interpretation. In security terms, it also includes layering defenses to help build a better, automated picture of what's actually happening on the network.

So this 2011 security resolution might sound like back to basics, but it stands to demonstrably improve enterprise security: Never stop testing new defenses and finding better ways to "layer up." Because staying ahead of attackers is going to take resolve.


Schwartz On Security: Don't Get Hacked For the Holidays

Schwartz On Security: WikiLeaks Highlights Cost Of Security

Schwartz On Security: China's Internet Hijacking Misread

Schwartz On Security: Click 'Dislike' For Facebook Safety

Schwartz On Security: Reaching The M&A Tipping Point

Schwartz On Security: Remove Dangerous Sites From Internet

Schwartz On Security: Zombie Internet 'Kill Switch'

Schwartz On Security: Can Apple Minimalism Stop Botnets?

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights