WHAT EVERY CEO NEEDS TO KNOW ABOUT IT SECURITY
By Christopher Dawson
Late last year, Sony Pictures Entertainment suffered an unprecedented breach of IT security. Corporate salary data, including executive compensation, was released onto the public internet, as were many years worth of human resource activity and personnel records. Numerous feature film projects were also stolen and shared online, including high-profile blockbusters slated for theatrical release during the last holiday season. Worse still, the attack deliberately destroyed all data on many IT systems. One might wonder if CEO Michael Lynton spent the rest of his holiday weekend ruminating on the fate of his counterpart at Target Stores. Exactly one year earlier, the retail giant was staggered by its own security breach, one that would ultimately rank as the largest exposure in U.S. history up to that time. For Chairman and CEO Gregg Steinhafel, it also marked a somber coda to his thirty-five year career with the company, as both he and CIO Beth Jacob were forced to resign.
The 2013 “holiday hack” of Target Stores heralded a paradigm shift in the perception of information security. The massive extent of the customer data that was compromised, high-profile media coverage of the incident, and the resulting fallout combined to force the highest levels of management to reevaluate their understanding of the corporate information security battlefield. In today’s reality, the profile of the hackers has evolved from techies seeking to bolster credibility among peers (like digital graffiti artists painting their tags on the information superhighways) into highly organized criminal enterprises aiming to pilfer customers’ data for resale in black markets. This incident also established a new precedent for culpability, with failure to effectively secure the IT landscape against business crippling breaches resulting in boards forcing changes in leadership.
With this new perspective in mind, there are a few key ideas that any conscientious CEO should focus on when considering the organization’s IT security posture.
Your Company Will Be Hacked – How Will You Handle It?
Professionals in the security industry often speak of clients as falling into one of two categories: those who have been hacked, and those who don’t know it yet. It’s not a question of “if,” but of “when” a breach will occur. Understand that the “bad guys” have extremely intelligent and determined people in their ranks and that no defensive technology is infallible (more on this later), and focus on mitigation strategies to minimize any damage a breach might cause to the brand image and bottom line. This is not to imply abandoning the traditional perimeter protections, such as firewalls, anti-virus scanners, and network monitoring; but, it’s critical to limit both the duration and scope of any security breach and to accomplish this, security apparatus needs to be visualized as a multi-layered defense mechanism.
Solid identity and access governance is the core of that defense, providing visibility into exactly who has access into all IT systems and applications. This includes ongoing attestation to periodically recertify access rights as appropriate, with a particular focus on systems that house mission-critical data and the people who have access to highly privileged accounts. After all, these are the people who hold the keys to the kingdom with respect to the company’s information assets.
The next layer is compartmentalization of the business units’ operations, including the well-established best practice of segmenting the networks that interconnect them. A post hoc analysis of the previous year’s Target incident revealed that much of the exposure could have been avoided had the company established separation between their customer information databases and point-of-sale systems and the contractor billing system that served as the hackers’ back-door entry point into their infrastructure. No breach of security is desirable, but it’s better to have limited data from a single operational area exposed than to have the entire corporate payroll and human resources history released to the public along with the unfinished holiday blockbuster film that revenue forecasts were depending on, as Sony Pictures recently faced.
While the outermost layer continues to be the traditional endpoint, along with perimeter security technologies (often implemented as silos), they collectively audit thousands or even millions of events every day with little to no correlation. Without a security intelligence platform capable of distilling that data into meaningful, actionable alerts, the information overload phenomenon nullifies much of the benefit of such monitoring. After all, having firewalls and network intrusion detection systems in place doesn’t provide much benefit if it requires weeks or months of people poring through cryptic logs to discover anomalous behaviors that might be evidence of a security breach. Target Stores’ lack of a security operations center to analyze the output from their monitoring tools prevented them from recognizing the unorthodox event patterns that represented a weeks-long exfiltration of tens of millions of customer records to unknown destinations in Eastern Europe.
Technology is not a Panacea
Effective IT security encompasses more than just bits and bytes. The SANS Institute compiles a list of 20 “critical security controls” that offer guidance for establishing an effective IT security posture, and several of the items involve establishing preemptive policies and training personnel. An annual report commissioned to quantify the costs of security breaches of companies in 10 countries found that the most influential factors in mitigating those costs were the existence of incident response and management plans, the appointment of a CISO to direct and execute those plans, and their incorporation into a broader corporate business continuity management strategy. Simply put, remember the Boy Scouts’ motto: be prepared. Failure to plan proactively will ultimately make any security exposure even costlier.
That report also confirmed the costs of these incidents are rising, both per capita and in the aggregate. Those costs aren’t limited to expenses required to identify and seal the leaks, such as forensic experts and security consultants. Particularly here in the U.S. where regulatory guidelines require notification of affected parties, the indirect costs of data exposures are frequently double the direct costs. Worse still are the opportunity costs wrought by broken consumer trust and lasting damage to the brand’s image. It’s difficult to imagine what else might have contributed as significantly to the dramatic 46 percent drop in Target’s fourth-quarter year-over-year revenue figures following their high-profile exposure.
How individuals address security policy can also have significant effects on the business. Following the much-publicized release of celebrities’ private photos stolen from their Apple iCloud accounts this summer, the company’s stock price plunged four percent in a single day of trading. Even though this theft was not the result of a technology failure but of weak passwords and account protection choices by the victims themselves, the negative public perception nevertheless resulted in a loss of some $26 billion in Apple’s market capitalization overnight. Keep in mind that even if security technology were bulletproof (and it isn’t), the human element will always be vulnerable. Whether through benign inattentiveness to policy, or through more nefarious means such as “spear phishing” (a targeted use of social engineering or other misdirection techniques to compromise privileged personnel in the organization), human beings present a vector for compromise that will always be present.
You Are on the Hook
The modern enterprise is undergoing a fundamental shift as more companies adopt disruptive initiatives into their everyday business practices. Popular trends such as BYOD (“bring your own device”) and “work anywhere,” and the embrace of cloud computing and data storage, shatter the traditional paradigm of a rigidly-controlled IT core infrastructure. As corporate network perimeters become ever more nebulous, the security of valuable information assets has been elevated from a departmental concern to an executive one. Gone are the days when it was sufficient for a CISO to check the boxes on a compliance list and consider security satisfied. In today’s climate, a failure of the chief executive to proactively incorporate all aspects of enterprise IT security into the company’s risk management and business continuity policies could very likely result in painful costs: expensive mitigation services, regulatory penalties, lost consumer confidence and legal claims, tarnished brand image, lower revenues and profitability, and more. Just ask Gregg Steinhafel.
Christopher Dawson is a Senior Security Solutions Architect for San Antonio-based Sirius Computer Solutions. Sirius helps IT professionals mitigate risks while cutting costs and has over 4,000 clients across the U.S. www.siriuscom.com