Print Issue: December 2018
Three days after detecting a breach of its network that impacted almost 50 million accounts, Facebook notified users of the incident and explained how it acted to prevent the breach from spreading.
“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else,” wrote Facebook Vice President of Product Management Guy Rosen in a post on the social media company’s website.
“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” Rosen explained. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook, so they don’t need to re-enter their password every time they use the app.”
In response to the breach that took place on September 25, Facebook fixed the “View As” vulnerability, informed law enforcement, conducted a force logout for affected accounts, and displayed a notification for affected users when they logged back on. Rosen also said Facebook would conduct a full security review of the “View As” function.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” Rosen said in his post. “We also don’t know who’s behind these attacks or where they’re based.”
After its initial investigation, Facebook determined that only 30 million accounts were impacted by the breach; almost half of those accounts had their names and contact information stolen from their Facebook profiles.
Facebook is not alone in experiencing a cyber breach in 2018. In the first 203 days of the year, there were 668 publicly disclosed U.S. data breaches—meaning that at that rate, more than 1,200 breaches will have occurred in 2018.
There are roughly 18,000 companies in the United States. By the end of the year, nearly 17,000 of them will have avoided a data breach, according to a recent white paper from the SANS Institute and sponsored by Balbix, Breach Avoidance: It Can Be Done, It Needs to Be Done.
“The bottom line is that breaches are not inevitable,” the white paper said. “There are proven techniques in use today by large and small companies with limited staff and budgets that can fend off or avoid most attacks and dramatically reduce the damage of attacks that do succeed.”
John Pescatore—director of emerging security trends at SANS and former lead security analyst at Gartner—says he was inspired to write the paper after NotPetya ransomware hit FedEx and Maersk, and caused $1 billion in damage between them.
Other competitors in their respective industries, Pescatore says, did not see similar damages because they were prepared for the possibility of a ransomware attack.
Focusing on these examples of organizations taking the right steps to be prepared is helpful for industry as a whole, he adds.
“There’s no shortage of coverage in the press when the planes crash or when the breaches happen, but we never get to hear: what are those people doing right to escape these things?” Pescatore says. “In particular, with breach avoidance, how did the people who succeeded in minimizing their damage or totally avoiding damage from these breaches that made the press, what were the common things they were doing?”
To find out, Pescatore spoke with CISOs and security directors around the globe that have avoided data breaches to learn about how they’re doing it. His research found that “organizations that emphasize proactive security efforts to reduce vulnerabilities in critical business assets are less likely to suffer major business damage than organizations that don’t have the skills and tools to prioritize and focus security efforts.”
The first step that organizations are taking to avoid data breaches is taking action in the first place—proactive actions to be specific.
As Pescatore wrote, people and software will always have vulnerabilities. But security professionals and their teams can take action through several best practices to reduce the risk of those vulnerabilities.
“By developing situational awareness (timely and accurate knowledge of what we need to protect, what vulnerabilities exist, and what real threats are active against those targets), and combining it with tools and techniques for prioritizing prevention and mitigation actions, security teams can quickly take actions to avoid the most damaging incidents and to exponentially reduce the business damage of unavoidable incidents,” the white paper explained.
However, this doesn’t mean that organizations should just purchase a bunch of security products to complete these actions because there is limited correlation between the amount spent on security and the level of damage caused by a security incident.
“Simply adding layers of security products increases complexity, requires security staff skills that are hard to find, and often results in more disruption to business operations than to attackers,” Pescatore wrote.
In an interview, he tells Security Management that the real differentiator for organizations that have avoided a security breach is that the people they did have were working on the most important things first—“which tended to mean they were ahead of the curve when the attacks actually happened.”
Helping organizations determine what actions to take to prevent and avoid breaches is using a cybersecurity framework designed to prioritize protecting the business, as opposed to focusing on compliance.
“Simply achieving compliance can avoid some level of fines, but it does not assure actual protection of business and customer information, nor has it even been shown to provide any legal cover or liability reduction if incidents do occur,” according to the white paper.
Instead, SANS recommends that organizations use cybersecurity frameworks to support business protection and risk reduction, such as the National Institute of Standards and Technology Cyber Security Framework, Center for Internet Security Critical Security Controls, PCI Data Security Standards Prioritization Guidelines, or the Health Information Trust Alliance Common Security Framework.
“The use of a cybersecurity framework that prioritizes actions and controls by business risk is key to focusing on what security processes and controls are the most important to avoid incidents that would disrupt business operations or expose customer information,” Pescatore wrote.
In addition to a framework, organizations that are successfully avoiding breaches are also instituting complete, accurate, and prioritized continuous monitoring of their systems. This also requires working with the business side of the organization to ensure that nothing is falling between the cracks.
“Security professionals need similarly fresh knowledge of business operations mapped to IT assets to ensure that current and accurate risk assessments cover all critical systems,” the white paper explained.
Once continuous monitoring is implemented, it’s likely to produce a high number of vulnerability alerts for security personnel to address. However, organizations that are avoiding breaches are prioritizing what alerts they address first based on the risk to the business that alert poses.
By doing this, security professionals can get more support across the organization for addressing vulnerabilities and taking action because the impact to the business is made clear.
“When vulnerabilities are mapped first against active threats that exploit those vulnerabilities and then by criticality to business operations, security teams have been able to justify the need to take immediate patching, reconfiguration, or shielding actions,” the white paper explained.
Additionally, organizations that are avoiding breaches are using playbooks to address incidents—much like physical security professionals use playbooks to walk through response to a fire in the facility or an active shooter.
These playbooks should recommend “mitigation and shielding steps based on asset criticality and threat classification” so that any security analyst can follow the instructions to reduce risk to the organization, the white paper said.
Playbooks should also be updated regularly to address changes in IT systems and software that the organization is using.
After organizations avoiding breaches have implemented these steps, they’re also keeping track of their security posture using metrics to communicate to the CIO, the CEO, and the board what the current risk landscape looks like and how the security team is poised to address it.
“The most effective security programs develop processes and methodologies to provide high-level views of risk that are understood by management even though they are derived from data that is used by both security and IT operations for tactical decision making,” according to the white paper.
To do this, SANS recommends security professionals track three main metrics: time to detect, time to respond, and time to restore.
“The three ‘time to’ metrics discussed above have proven critical to measuring and increasing the efficiency and effectiveness of a security operations center,” the white paper said. “Higher level metrics and measurements are needed to manage the overall security program, and for effective presentation to the C-suite and the board of directors.”
Effective communication with the board has been a priority for CISOs over the past year, Pescatore explains, because boards are looking for CISOs to bring them strategies to deal with risks to the business—not just what the risks are.
“Part of this is for CISOs to think through the business side of it—what possible risks have the biggest impact to the business and what are the strategies for removing those risks,” Pescatore says.
Examples of this in action that the white paper detailed include showing a decline in risk due to faster patching or shielding, improved cybersecurity hygiene, and improved focus on avoiding software vulnerabilities.
“Trend analysis of threats, vulnerabilities, and business impact allow CISOs to demonstrate success, as well as document lessons learned from failures, and support justification for the overall strategic cybersecurity approach and any necessary tactical actions,” the white paper said.
All of these factors coming together help organizations avoid cybersecurity breaches, or—when they do occur—respond to them in a timely manner to reduce the overall impact to the business.
“What we always say in security is everybody who succeeds has found a way to mix people, processes, and technology,” Pescatore says. “People, processes, and technology, and being able to prioritize—it’s easy to say those things but to have that focus and the prioritization built in is the difference maker.”