The drip feed of the specifics of the data breach suffered by Loyaltybuild is perhaps, I would argue, a symptom of both the attitudes to and the strategies for coping with malicious intrusion.
Previously, the attitude toward intrusion, hacking, penetration, call it what you will, has been to ensure a sturdy perimeter and hope for the best. This was modified in recent years through the advent of intrusion prevention and detection systems, but really, these were more akin to bells on the barbed wire fence than anything else. In fact, if you look up the term intrusion management, what it refers to is the coordinated management of intrusion prevention and detection systems, not the management of an intrusion in progress, which perhaps it should.
My point here is that after an intrusion has been detected, organisations are often at a loss to know what has actually happened, and what has been affected or indeed, whether the intrusion is still in progress.
This is usually as a result of an unknown entry point, unknown assailant and unknown motivations. Consequently, organisations often do not know where to look for evidence of what has happened.
But before any intrusion actually takes place, organisations rarely look at their network from the perspective of an attacker. They rarely look at their infrastructure to see if an attacker came in from a certain point, with a certain level of credentials, what they could potentially access. Such considerations could fundamentally change the way that organisations think about how they organise their internal resources.
Techniques such as network segmentation and compartmentalisation could mean that attackers cannot easily roam free through your network to take what they will. Permission levels and logic controls can stop a set of lowly hijacked credentials from being used to gather whatever an attacker desires.
By taking such a perspective, and having that inform controls and policies, organisations can guard against what is now being slowly accepted as inevitable — attackers will, at some point, gain access to your network.
The latest episode of this unfortunate circumstance in the media should remind us of these lessons and admonish us to takes steps before it is too late, but, and you could hear that one coming, we mustn’t be too hasty.
Coming back to the earlier point, in looking at the aftermath of an intrusion, or indeed one that may be in progress, it is important not to act hastily in an effort to prevent further damage, especially if such actions could potentially destroy evidence of who was doing the snooping and what they were after.
Of course, protecting customers and their data must be paramount, but there is also a duty to ensure that evidence is preserved to find the perpetrators and their methods to allow safeguards to be implemented to prevent similar attacks in the future.
The aftermath of the RSA hack, and the companies exemplary handling of it, has shown that sharing experiences in such instances can help the industry as a whole to protect itself from attacks, and limit the damage potential by changing attitudes to accept the inevitable and mitigate the damage.
Subscribers 0
Fans 0
Followers 0
Followers