Date post: | 13-Apr-2017 |
Category: |
Documents |
Upload: | mike-mcmillan |
View: | 77 times |
Download: | 0 times |
2 | P a g e
The number of U.S. data breaches tracked in 2014 hit a record high of 7831, according to a recent
report released by the Identity Theft Resource Center. An article in CNN Money estimated nearly
one million malware threats are released every day2. Malware in general is more malicious than
years past, with ransomware being just a small example of our challenges in IT. Although Gartner
stated that organizations will increasingly recognize that it is not possible to provide a 100 percent
secured environment3, businesses must develop strategies to prevent and protect from data
breaches.
In a nutshell, the security landscape has significantly changed over the last several years and
businesses must adapt by incorporating cost effective solutions to fight the ever-growing threats.
To complicate the issue, many IT departments have faced reductions of force and often have had
budget constraints that limit their ability to stay ahead of the curve.
DSM has assessed a great number of environments and regardless
of the size of the organization and number of IT people on staff,
every assessment yields a great number of vulnerabilities.
Moreover, DSM has noted weaknesses during many of our
assessments that indicate gaps in an organization’s ability to
recover data in the event of a breach. Backups were the traditional
way to protect from data loss; however, it is no longer sufficient as
a standalone solution. In short, businesses must layer prevention
and protection strategies.
Prevention Strategies In simplistic terms, a prevention strategy should stop threats before they occur. The question
business leaders should ask is, “how secure are my systems and data?” If a survey was sent to a
dozen IT departments, most likely the results would indicate a broad number of strategies being
deployed followed immediately by statements indicating that staffing and budgeting are limiting
their ability to prevent malicious attacks.
Many business leaders are not technical and must rely upon their technical staff to provide
guidance. Often internal IT departments lack the knowledge and/or expertise in deploying
technologies or processes to help mitigate against a breach. Accordingly, DSM recommends
asking these simple questions:
(1) What are we doing today to prevent a data breach?
(2) What limitations are we facing?
(3) What is the process to validate our data and systems are protected?
1 Identity Theft Resource Center Breach Report Hits Record High in 2014 2 Nearly 1 million new malware threats released every day 3 Gartner Identifies the Top 10 Strategic Technology Trends for 2015
Backups were the
traditional way to protect
from data loss; however, it
is no longer sufficient as a
standalone solution. In
short, business must layer
prevention and protection
strategies.
3 | P a g e
The answers to these questions will help define the magnitude of information security as a true
business threat. Then the organization will be ready to determine the overall readiness and health
of IT.
The most common practice of identifying issues and establishing budgets is leveraging a third
party assessment. Before embarking on an assessment, the business needs to ensure it is willing
to put the effort to remediate and mitigate against identified risks. Moreover, the firm providing
the assessment must gain your confidence by showing it has a methodology that maps to your
business needs. Accordingly, DSM developed an assessment methodology that breaks down our
findings into four categories.
1) Security
2) Management
3) Availability
4) Recovery
This approach produces a comprehensive review of an environment beyond traditional security.
In fact, it provides a review of an organization’s ability to recover and outlines improvements for
systems management, IT automation and high availability to applications and data. This proven
methodology provides health checks of critical systems and applications in conjunction with
assessing the security and overall recoverability of an environment. Additionally, DSM provides
budgets to remediate and strengthen the underlying technologies your business depends upon.
Assessment Woes While IT Assessments are a proven approach to identifying weaknesses, not everyone is
comfortable with a third party reviewing their environment. Depending upon the situation, some
technical people may embrace an assessment while others tend to avoid them. DSM has
performed a great number IT assessments which have yielded many different views from the
various IT teams. One observation is that many organizations have
a strong confidence in their solutions. In some instances we have
experienced resistance to an outsider assessing their security
posture due to insecurities. Regardless of the maturity of an
organization or the age of the systems that are deployed, auditors
most always uncover issues that would have gone unnoticed until
an event surfaced the weakness. Simply said, everyone can
improve process or techniques to secure infrastructure and data.
The real question everyone should ask is, “If a data breach
occurred, how would it impact our business?” SafeNet stated Data
breaches have a significant impact on whether a customer will
interact with an organization again4. Additionally, IBM and
Ponemon Institute indicated that the total average cost for data
breaches paid by United States companies increased from $5.4 million to $5.9 million5 in 2014.
Is it worth the risk or should organizations have a preventative strategy? We believe an
assessment is only one layer of protection but it will remain a necessity to ensure organizations
are following industry best practices.
4 Global Survey Reveals Impact of Data Breaches on Customer Loyalty 5 2014 Cost of Data Breach Study: United States
Data breaches have a
significant impact on
whether a customer
will interact with an
organization again.
4 | P a g e
Protection Strategies DSM believes in the statement, it is not a matter of “IF’ it is “WHEN” as it relates to security
breaches. Accordingly, DSM recommends that organizations mature in the area of protection
strategies. Simplified, a protection strategy is a layered approach to protect data from being
compromised and in the event of an emergency the data or systems can easily be recovered. At a
high level, organizations must go beyond traditional backups to ensure they are protecting critical
and confidential data. Confidential data should be encrypted to minimize the threat of leakage
and organizations must consider technologies that streamline the recovery approach for
corrupted or loss data.
How Effective are My System Backups? The good news is technology is constantly improving; however, many organizations have made
significant investments in backup technologies that may not be effective. IT assessments have
identified that many organizations are performing traditional backups, nevertheless they are
lacking a comprehensive recovery strategy to recover data beyond a
backup. Accordingly, there are gaps between business requirements
and the technical ability to provide instant access to data after an
outage. Disaster Recovery has been focused mostly on the fire or the
hurricane but must expand into the real threat of today which is data
compromise or leakage.
Today’s businesses require the ability to recover data from minutes
ago versus last night’s backup. An easy calculation for recovery times
is if it takes one (1) hour to backup data, it will typically take two (2)
hours to recover it with traditional backups. Hence, how can we
shorten our recovery time in the event of a virus such as
CryptoLocker? Beyond security awareness training to reduce the end
user’s mistake, businesses must leverage technologies that provide
automated snapshots of files or volumes.
DSM recommends reviewing your data protection solution to ensure it has adequate retention
and archive for compliance and that it has the ability to replicate the data offsite. In addition, it
should tightly integrate into virtual infrastructure while giving the ability to instantly recovery
both physical and virtual systems.
Performing IT Basics One interesting finding that all assessments have disclosed is most organizations are not doing
the IT basics. IT staff reduction in conjunction with speed that technology
changes has yielded an interesting issue. IT departments tend to spend
more energy with projects in parallel with troubleshooting the tireless day-
to-day technical issues as opposed to keeping up with the daily
management tasks. Results show that patch management for Microsoft
and third party applications is not managed well in most every
environment. While most have automated tools, many are not fully
configured or lack processes to validate systems and applications are
updated. Moreover, some audits reveal that Anti-Virus can be sparsely
implemented.
The reality is the day-to-day tasks which are essential to protecting the environment are somewhat
boring which exasperates the situation. Based upon our experience, it appears that many IT teams
would rather learn the new upcoming technology rather than focusing on the daily management
tasks.
Today’s businesses
require the ability to
recover data from
minutes ago versus
last night’s backup. An
easy calculation for
recovery times is if it
takes one (1) hour to
backup data, it will
typically take two (2)
hours to recover it with
traditional backups.
5 | P a g e
Another driving factor for poor patch and AV management is that these lower-level tasks are often
delegated to junior IT staff without the appropriate controls to validate. As a result, critical tasks
which are essential to protection and recovery are often overlooked due to the backlog of Critical
and Important tasks that fill up the ticketing queue for those who have ticketing systems. For the
lesser sophisticated staff that does not leverage a ticketing system, these crucial tasks are lost.
Delegating low-level tasks does not mean you are minimizing the criticality or delegating the
responsibility; it simply means controls such as reporting must be in place to validate on a routine
basis.
Conclusion In summary, the security landscape has significantly changed over the last several years
and businesses must invest in strategies not only to prevent a malicious attack
while protecting data but also have the enhanced recovery abilities. In
the past many businesses would elect to repurpose budgets allocated to
security towards higher prioritized projects. Risks today expand beyond
an inconvenience to downtime and possible data corruptions that places
customers and revenue lines at risk.
Data protection has to extend beyond standard backups to enterprise-
class systems that enable offsite replication and instant recovery. In
addition, solutions have to expand beyond backups to provide high
availability to essential data.
The lower skilled tasks do not lessen the level of urgency to ensure backups
and patches are pushed out on a routine basis. Accordingly, management
must deploy appropriate controls to validate these tasks are completed.
DSM recognizes that budgets can limit an organizations ability to have a foolproof system,
nevertheless, DSM has leveraged a layered approach that delivers these services at an affordable
cost.
For more information about Information Security and how we can help you, please contact us at
863-802-8888 or [email protected].