Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/2/2020
05:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

How Security Leaders at Starbucks and Microsoft Prepare for Breaches

Executives discuss the security incidents they're most worried about and the steps they take to prepare for them.

In today's increasingly crowded threat landscape, it can be difficult to determine which threats companies should prioritize. For those who are stuck, it's helpful to consider what major organizations are worried about and the steps they're taking to combat those types of attacks.

This was the premise behind "Preparing and Responding to a Breach," a panel that took place at last week's RSA Conference in San Francisco. Security leaders from Starbucks, Microsoft, WhiteHat Security, and SecurityScorecard discussed the lessons they learned from the many breaches that took place in 2019 and how they plan to learn from these incidents to defend against threats of the future.

Last year brought 5,283 security breaches, said moderator John Yeoh, head of research for the Cloud Security Alliance, kicking off the panel. Organizations collectively lost 7.9 billion records, he said, and incidents indicate "the same things that are happening over and over again." What types of attacks were most frequent, he asked, and what did organizations learn from them?

"As far as types of attacks we see, [they] generally tend to either be application security attacks, phishing attacks, misconfiguration of cloud environments, these kinds of things," said WhiteHat CTO Anthony Bettini. And while these threats are old news to security pros, his fellow panelists agreed they are also the ones organizations should have at top of mind for defensive strategies.

"The reason you keep hearing about phishing from speakers like us … it's not because we want to bore you with repetition," said Microsoft's cybersecurity field CTO Diana Kelley. "It's because phishing still works." Application vulnerabilities, misconfiguration, and phishing are the three areas where attackers are having the greatest success, which is why they should be prioritized.

Some leaders, like SecurityScorecard CISO Paul Gagliardi, are most worried about how attackers use the data they steal. "One thing I often see is the somewhat sophisticated criminal groups are starting to use the aftermath of breaches to do even more targeted social engineering or phishing attacks at scale," he explained. "It's not just the fact a breach occurred; it's that all of our company's data is somehow in there."

Credential reuse is a primary concern for Starbucks global CISO Andy Kirkland, who spoke to a concern prevalent in the retail and hospitality industries. "Whenever these credentials become available, we become a place where people want to see if they work," he said. The sharing of usernames and passwords across multiple platforms is "a big thing to watch" for companies. Cloud misconfigurations, which Kirkland calls "the rebranding of shadow IT," are another worry.

"Just about anyone can get an S3 bucket and do whatever they want with it; potentially put whatever they want in there," Kirkland noted. The onus is on security professionals to identify these instances within an organization when they happen.

Practice, Practice, Practice
Panelists spoke to employee and customer training strategies, tabletop exercises, and other steps they take to better prepare for security incidents. One key takeaway was the importance of working employee training into the corporate culture for everyone. As organizations change over time, and new people are onboarded, there will be gaps in cybersecurity knowledge.

"I have to take cybersecurity training at Microsoft just like everybody else," said Kelley. "We don't just assume because somebody has a title, they get to be exempt from that training." She advised annual or biannual security training for all employees. "Psychologically, humans are much better at learning when we've got a little bit of an adrenaline pump." If an employee is caught getting phished, they may remember to be more cautious next time.

"The best training is in-the-moment training," Kirkland emphasized. While some trainings are done for compliance, the unexpected phishing emails deliver real learning moments.

He also advocates tabletop exercises with all executives in order to plan for cyberattacks. Senior execs schedule a four-hour block during which they create an entire breach narrative. Sometimes, he said, it's the first time in a while that leadership has come together to decide how they would respond to a security incident – and the results have had an effect beyond cybersecurity.

"The decisions, and the things that they've learned in those tabletop exercises, have informed the way that we respond as an organization to all manner of incidents; not necessarily those that were cyber-related," Kirkland said. Learning how business leaders collaborate "is not only educational for them; it's educational for you as a security professional," he added.

Tabletop exercises should inform a standard operating procedure for cyberattacks, said Kelley. Whether it's online or printed, every business should have guidance on how employees can escalate potential incidents and how they should respond to them. These procedures don't need to be 100% accurate – after all, every breach is different – but they should provide basic information on which internal and external organizations (cloud providers, law enforcement) need to be notified.

"You'd be surprised, with these kinds of activities, how easy it is to forget what needs to be done," she explained. If an employee doesn't know the right information or can't access it, they may have no idea how to move forward in the right direction.

Practitioners also pull lessons from previous security incidents: to inform annual trainings in incident response and business continuity, Gagliardi goes back into historical breach data to assess what security looked like before an incident. Breach disclosure is mandated under HIPAA and GDPR, he pointed out, and there are thousands of breaches that aren't publicly reported but are just as significant. Businesses "can get a lot of value" in lessons from these events.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How to Prevent an AWS Cloud Bucket Data Leak."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-21038
PUBLISHED: 2020-04-08
An issue was discovered on Samsung mobile devices with N(7.x) software. The Secure Folder app's startup logic allows authentication bypass. The Samsung ID is SVE-2018-11628 (December 2018).
CVE-2018-21039
PUBLISHED: 2020-04-08
An issue was discovered on Samsung mobile devices with N(7.0) software. With the Location permission for the compass feature in Quick Tools (aka QuickTools), an attacker can bypass the lockscreen. The Samsung ID is SVE-2018-12053 (December 2018).
CVE-2018-21040
PUBLISHED: 2020-04-08
An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (Exynos 9810 chipsets) software. There is a race condition with a resultant use-after-free in the g2d driver. The Samsung ID is SVE-2018-12959 (December 2018).
CVE-2018-21041
PUBLISHED: 2020-04-08
An issue was discovered on Samsung mobile devices with O(8.x) software. Access to Gallery in the Secure Folder can occur without authentication. The Samsung ID is SVE-2018-13057 (December 2018).
CVE-2020-11000
PUBLISHED: 2020-04-08
GreenBrowser before version 1.2 has a vulnerability where apps that rely on URL Parsing to verify that a given URL is pointing to a trust server may be susceptible to many different ways to get URL parsing and verification wrong, which allows an attacker to circumvent the access control. This proble...