The beginning of July always marks a turning point. Summer finally feels like it’s in full swing, vacations, BBQs, and summer camps are ramping up, and it provides the perfect time to reflect back on the first half of the year and see how we did and what we should change. Looking back on 2014, I think it’s clear that we can be doing better. And that we need to do better.
We kicked off the year still reeling over the Target breach, an attack that continues to make headlines and led to a CEO stepping down and a CISO stepping up. In January, Snapchat users scrambled to change their passwords and Neiman Marcus shoppers were forced to keep a close eye on their credit card statements. We saw a database attack at the University of Maryland that exposed 300,000 records, eBay’s entire user database was compromised and even the Seattle Archdiocese had to deal with hackers using the social security numbers of employees and volunteers to file fraudulent tax returns. That’s hardly scratching the surface of the attacks so far this year, never mind the countless others that didn’t garner national headlines.
But of course the biggest shock to the security system was heartbleed. The Heartbleed Bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. We are all aware of the big-name HTTPS-enabled sites and applications such as Google and Facebook that were affected, but the true impact to corporate networks and servers remains to be seen.
Here we are, halfway through the year, with a full plate of attacks and breaches. We all know hype has a big role in security but it’s no exaggeration to say Heartbleed was one of the worst vulnerabilities ever found. It’s clear our enemies are getting stronger, and smarter. But we’re also still opening doors for them. Weak passwords are still the path of least resistance for even the most novice attacker.
The impact of these breaches is clear but if you need any additional convincing, the Ponemon Institute recently released their 2014 Cost of Data Breach Study: Global Analysis and the average cost of a breach to a company was $3.5 million, an increase of 15 percent over last year.
So what can the security community do to fight back? If you’ve read any of my columns before this, you already know I can’t say this enough: We need to be proactive and think like an attacker.
I’m not one for predictions, but take a look at something I said back in December of 2013:
“We in the security industry need to do better. We need to continue to advance our technology and develop new and better ways of addressing security concerns and vulnerabilities. Due to the very nature of our business we will always be playing catch-up to the hackers, but that is a challenge we need to meet. I’m not sure who said it first, but the reality remains, in the security industry, we need to be right 100 percent of the time whereas the hacker only needs to be right once.”
I’m hardly Nostradamus but this statement still applies almost eight months later. What are your most critical business assets? Once you’ve identified them, consider all the ways someone could get to them. You need to identify your security shortcomings before someone else does. Simulate attacks and tests to associate known vulnerabilities (such as Heartbleed), previous attack patterns, and security/network data to identify potential attack paths to your company’s crown jewels or you risk someone walking them out the proverbial front door.
As we close out the first half of the year, as incredible as it may seem, the holidays are just around the corner. Retailers are putting in place their own security plans to make sure they are not the next “Target” as their busiest season approaches. I just hope that this time, people are not only ready to listen, but to act.