Saturday, June 18, 2011

Another wave of attacks and breaches


Back in April, I wrote about a wave of attacks and breaches (you can read it here). This month we are seeing a whole new wave of attacks and breaches, some of which include Citigroup, Sony, IMF, Lockheed Martin, etc.

2011 definitely brought many high profile breaches, one interesting development is that, these breaches not only benefit the adversaries but people who are involved in the investigations as well. WSJ reports that an “industry of experts”—from lawyers to forensic investigators—have emerged to help companies deal with the painful job of informing customers that their data has been hacked.

We also started to see the re-emergence of so called hacking groups. Some of the new groups such as Anonymous and LulzSec, are reported to be active participants. This is definitely a concern for information security practitioners as suddenly we have a much stronger and a determined opponent to deal with. 


US lawmakers are getting busy as well. Congresswoman Mary Bono Mac, Chairman of the House Subcommittee on Commerce, Manufacturing and Trade,early this week released a discussion draft of the Secure and Fortify Data Act (SAFE Data Act), which establishes uniform national standards for data security and data breach notification. A key feature of the SAFE Data Act requires notification to the FTC and consumers within 48 hours of the time that a breach has been secured and scope of the breach assessed.  The FTC would also be given the authority to levy civil penalties if companies or entities fail to respond in a timely and responsible manner. 

So, what can we as corporate information security professionals do? As I have mentioned in this blog many times, there is nothing new to be done here, follow the simple steps and go back to the basics - identify what and where your sensitive data is, apply minimum controls to thwart simple attacks, monitor the sensitive information, both at the asset level and network level and finally keep up with the new threats and learn how to defend against these new threats.

Sophistication of information threats are only going to increase, adversaries looking to steal sensitive information are only going to increase, and the market for such sensitive information are only going to increase. Better preparation and bringing in capabilities to defend, and recover from these attacks should be primary concern for information security departments. Many organizations concentrate on a compliance and check-list centric methodology, which will only lead to more such attacks and breaches. The time has come for organizations to develop capabilities and talent within the organization.


States and local governments also have a bigger role to play. Organizations need help from government agencies in the form of intelligence and investigations, and more importantly working with foreign governments in identifying and containing the threats and threat agents. Announcement such as this from NSA is promising and they should start developing tools and processes to share intelligence with private sector as well.


No comments: