Domino’s Pizza is the latest victim of a breach and ransom demand. The recent Evernote and Feedly DDoS ransom demands, along with the efforts of Cryptolocker and other tricks to extort hard cash from unsuspecting users, are being tested to the max. These brazen attempts to make a quick profit will only be fuelled for as long as they remain successful.
So we are seeing a continuation of a theme here... If you hold password/account information for your customers, and present an online method for them to be used or accessed, you could end up in the news or even on the world stage should the hackers turn their attention to you. Other recent examples include eBay.
So what is the new normal for companies which want to prepare for a cyber breach?
STEP 1 – Recognise your risk (update the risk register): Your risk register should – by default – hold the breach of customer account information as a defined risk and its potential to be obtained by the very real threat actors out there.
STEP 2 – Secure the data (implement and verify the right controls): Your standard controls should include strong hashing with a protected salt. Complex passwords should be enforced, and the standard security hardening, patching and testing needs to be conducted. Passwords do not normally need to be stored in a reversible manner (such as encrypted, and clearly not in plain text or simply obfuscated).
STEP 3 – Monitor your environment (define standard monitoring, know what is happening and actively hunt on your network): Your ‘business as usual’ practise should ensure that you have active monitoring in place, with your data stored and protected well back from your public servers. Active changes, non-standard behaviour and unauthorised activity should be monitored and alerted. An incident response plan should have been tested and rehearsed to ensure a breach can be detected BEFORE data extraction occurs. Make sure the path to your data is lined with multiple trip wires (monitored events) to ensure the hackers’ chain of actions prior to data extraction can be seen (reconnaissance, weakness exploits, delivery, extraction, etc). This will give you multiple opportunities to intercept and stop.
STEP 4 – Simulate and test (conduct real world penetration testing): So much penetration testing these days focuses on the type of attacks run by script kiddies (noisy, tool driven and automated), rather than real world criminals (targeted, custom, slow and quiet). Use valid Threat Intelligence to know what the bad guys will attempt and simulate what you really think may happen – not what you tested last year or even what your testing company does as standard.
STEP 5 – Remain agile (continually re-visit the risk and verify the right controls and response capabilities are in place): Don’t stand still and don’t sit down. The hackers won’t be. As defenders we need to remain vigilant and adaptable. Govern, evaluate, learn lessons and improve.
The only way to protect your organisation from a breach is to expect it to happen and prepare for it. Ask yourself, if a certain breach happened to you, would you be able to detect and stop it in time?
PS - Never pay the ransom! You will encourage the very action you want to stop. Hunker down, weather the storm and learn from it. And be better prepared for next time.
To contact Nettitude's editor, please email firstname.lastname@example.org.