Cyber Security
Know your enemy, but know yourself too You can’t protect your company’s data if you don’t know where it is
I By Stuart Clarke Director of Cybersecurity & Investigation, Nuix
nformation security experts and practitioners are united in the belief that we cannot prevent data breaches by building bigger walls around our networks. As Gartner’s bluntly titled report, Malware Is Already Inside Your Organization; Deal With It argues “organisations must assume they are compromised, and, therefore, invest in detective capabilities that provide continuous monitoring for patterns and behaviours indicative of malicious intent.” In a recent survey of corporate information security practitioners, published by Nuix and conducted by Ari Kaplan Advisors, a senior security official said, “That paradigm of relying solely on the perimeter is long gone; it is part of a security architecture, but it doesn’t even begin to be a dependable approach to security.” Another explained that “[Data breach] prevention is an unobtainable goal in the current environment so our focus is a very fast pathway to remediation because we know we cannot eliminate all compromises.” Look inwards for greater insight So, if the current approach to data protection isn’t working, what is the answer? Perhaps the answer lies in looking inwards at information management practices and policies as much as you focus on external threats. Organisations must tackle data security on all fronts. On one level, this is a vastly complex undertaking that requires cross-border law enforcement and governmental collaboration and the development of more robust international standards. From a corporate perspective, it involves using better technology and more advanced security but also continuously advancing information security—not just ticking a box once you have implemented a perimeter defence system. In this new paradigm, the main priority of information security is reducing the delay between when breaches occur
26 | Australian Security Magazine
and when you detect and deal with them. This requires rapid, thorough and effective post-breach investigation and remediation. Fast detection and remediation of breaches In any breach situation the clock is ticking; data has gone missing; costs are building up and there is an increasing risk that someone else could exploit the same vulnerability. There is also the risk the attacker could introduce backdoors into your network, expand the compromise and cover their tracks. Take the Home Depot breach in the US last year. Analysts believe the breach was exploited over a five-month period, during which over 50 million customers’ payment cards where affected. Following a wake of fraudulent transactions on customer cards a result, some customers have filed class-action lawsuits against the home improvement retailer, one to the tune of US$500 million. US retailer Target recently settled a class action suit brought by its customers after a data breach for a relatively modest $10 million. Closer to home, the daily deals website Catch of the Day took until July 2014 to disclose to the public that it had been the victim of a data breach in 2011. The company reasoned that it “informed police, banks and credit card companies” at the time and that it was only disclosing the breach to its customers three years later because advances in technology meant hashed customer passwords could now be compromised. A more cynical interpretation is that the website did not discover the breach until much later, which could explain why the Australian Federal Police had no record of receiving a complaint from Catch of the Day in 2011. Where is your data? One reason organisations take so long to detect and remediate breaches is that they are unsure where their high-risk data resides. After a breach, there is no way of knowing which