Defending against data breaches: Q&A with Brian Isle

There’s a feeling of growing anxiety in the business world. Several months ago, scores of millions of people were affected when large-scale data breaches stole credit card information from retailers like Target and Neiman Marcus. Last week, another major breach was announced: the Heartbleed bug, a flaw written into the widely used OpenSSL encryption software that could reveal users’ website passwords on a dizzying number of sites, including Amazon and Yahoo.

The continual threat of cyber-attacks has many companies wondering how they can protect their data and maintain their customers’ confidence. Brian Isle is the co-founder and former CEO of Adventium Labs in Minneapolis, where he researches critical infrastructure safety and security. He is also senior fellow at the University of Minnesota’s Technological Leadership Institute in the College of Science and Engineering and teaches a course on information assurance and risk assessment for the U’s Master of Science in Security Technologies program. Below, Isle shares advice on how companies can be smart about locking up their data.

How can companies best prepare themselves for the threat of a cyber-attack?

In the past, companies large and small would purchase a firewall and maybe some form of intrusion detection, give security responsibility to one of the IT staff and call it a day. Today, the best-in-class companies view security as a dynamic process that includes written policies, procedures, well-trained people with well-defined roles and responsibilities, a security-aligned organizational structure, and, of course, appropriate security hardware. The best companies are always reviewing and testing their security process and improving.

There are many very good security resources available. A good place to start is the National Institute of Standards and Technology (NIST) 800-30 guide on risk management for IT systems. One of my often-used mottos is, “No amount of hardware will make up for the lack of policy, procedures and trained personnel.”

If a company is hit by a cyber-attack, what’s the best way for that organization to react?

This is a question we could spend the next several hours discussing. Here is a very short action list:

First, call the local FBI office immediately. The FBI is very engaged in responding to cyber-attacks, especially ones dealing with the loss of intellectual property. Second, disconnect your systems in a manner that preserves all the files, including logs, that could contain evidence of the attack. Third, assemble a capable team to analyze the loss, understand the attack vector — the vulnerable point, such as exploiting an out-of-date operating system — and provide your company with a recommendation for mitigating current damages and preventing future attacks.

How many companies that have suffered data breaches were well prepared?

The Verizon Breach Investigation Report, which is highly regarded by security and IT professionals, combines the expertise of 19 global organizations that track data breaches and analyzes the underlying details of those breaches each year. The 2013 report says 78 percent of exploit techniques were of either low or very low difficulty, requiring basic methods and few special skills. Only 1 percent of the breaches required advanced skills or resources. This means the majority of companies who did suffer losses had deficiencies in their preparation for a cyber-attack. The percentages noted above have stayed about the same over the last several years.

Are smaller firms just as capable of defending their data as larger companies?

Adversaries know smaller organizations in general are less mature in their preparation against attacks. Smaller companies are usually more worried about keeping afloat or growing the company. They typically assign security to the IT staff. I believe, however, that these companies can develop and implement appropriate and affordable safeguards. My colleagues and I have had great success over the years in teaching a lightweight risk assessment process based on the NIST 800-30 guide at various companies, including start-ups.

The key is to identify the critical assets of the company and then have a realistic discussion about the most likely adversary. These two steps help scale back the analysis to focus on a realistic threat and measure the impact the breach will have on the firm. Next, companies should prioritize their security investments based on the analysis and then periodically repeat the analysis. Of course, it is critical to test the security process as well.

How have the tactics of cyber criminals changed over time?

In the early days, hackers were focused on personal glory and bragging rights about their exploits. In the 1990s through mid-2000s, hackers were focused on the development of malicous code and outwitting the security defenses. The current trend is toward a more sophisticated attacker driven by financial gain, gaining competitive advantage, revenge, or in the case of the “hactivist,” righting a perceived injustice. I believe one of the big changes is the move to “malware as a service” where malware developers make software meant to take control of computers, exflitrate information or do damage. These developers are selling their malware to criminals much the same way a typical software vendor would, complete with a customer service hot line. This approach allows the criminals to be more efficient by focusing on the delivery of the malware rather than on its development.

Typically, what are cyber criminals after? Is it mostly credit card information and other forms of wealth?

Several security experts observe that around the mid-2000s the source of attacks changed from joy-rider hackers to an attacker driven by financial gain, which is now by far the biggest driver for the attacks, followed by revenge and espionage. However, the answer really depends on the industry you are considering. In retail and food services, the goal is often credit card information. In finance, it is ATM skimming, where thieves set up a device that records information from a credit card’s magnetic strip. In manufacturing, the adversary’s goal is stealing intellectual property.

How do you think data security will change over the next few years?

The good news is there is a trend toward creating security frameworks, defining standards and sharing best practices that will help companies improve their security readiness. Companies are building security into their organizations and into their products and providing adequate funding for the entire security process.

Based on the trends, cyber criminals will likely up their game with more professional malware to attack the more lucrative organizations and targets. Criminals will also continue to go after the weaker, less-prepared companies. They will continue to exploit the side of the security equation that is prone to human error, like through seemingly innocuous emails that link to malware.

Reprinted with permission from Business @ the U of M, a publication of the Office of the Vice President for Research.