Schwartz On Security: First, Know Youve Been Breached

Spains national aeronautics institute found three Mariposa botnet infections on internal PCs, thanks to constant testing. But when it comes to breaches, many organizations still have their heads in the sand.

Until a security incident or data breach gets discovered, does it really exist? The non-existential answer is: of course. And the longer it goes undetected, the greater the potential damage.
One 2010 study found that 41% of organizations cant determine how frequently theyre
targeted by advanced attacks
, and half of organizations take at least a month to detect such attacks.
Likewise, the
data breach list
maintained by the Identity Theft Resource Center (ITRC) lists numerous breaches that have an
estimated
start date, sometimes months or even a year prior to an organization publicly declaring that the breach occurred. Half of all organizations involved in
known 2010 data breaches
also didnt disclose the attack vector or number of affected records. Perhaps they simply dont know the answers.
So as it comes time to make, break, or pursue resolutions for the new year, lets set one for information security. Rather than obsessing over which security technologies are in play, why not ask bigger questions: How do we know when weve been
breached
, and can we trace the attack back to prevent it from happening again?
One lesson comes from INTA, Spains national aeronautics institute, where 1,600 scientists demand easy access to information, not to mention WebEx, unencumbered by security policies. How do you secure that environment -- and enforce security policies -- while not strangling peoples ability to locate essential information or collaborate?
Its a difficult environment to secure. They are working with a lot of top secret information, said Jesus Garrido Antonio, INTAs head of information security, speaking this past autumn at an event hosted by Palo Alto Networks. Furthermore, top secret data, such as the range of the
Meteor
air-to-air missile project, may involve just two numbers. How do you secure that? Antonios answer is to provide more layered security, find ways of cross referencing whats happening with what isnt happening, and regularly test, compare, and contrast the latest technology. You need to have one leg in back and one in front, he said, because hackers are always trying something new.
Overlapping technology helps discover problems that a standalone approach may have missed. For example, in September 2010, INTA began testing three new types of firewalls, including a Palo Alto next-generation firewall. On the first day, that firewall flagged three
Mariposa botnet infections
running on internal PCs, despite the fact that INTA had deployed antivirus engines on all of its PCs and used intrusion detection and prevention systems on its enterprise networks.
The security team traced the problem to three PCs, running Windows 2000, used to manage warehouse inventory. While the PCs didnt store sensitive information, the infection was still troubling. How had Mariposa infiltrated the enterprise, and why were these PCs still running the old Microsoft operating system? Ultimately, the security team discovered that it had supplied three brand new PCs to replace those old warehouse PCs, but warehouse managers diverted the new PCs to become their new desktops. Meanwhile, the Windows 2000 machines remained in place, essentially off of the security grid.
The lesson: Never assume that just because a security tool isnt flagging a problem, that a problem doesnt exist and someone isnt trying to exploit it. Of course, behaviorally speaking, we tend to do the opposite – we overestimate the likelihood of good outcomes and underestimate the likelihood of bad ones. Behavioral scientists even have a name for this tendency,
optimism bias
, or the positivity illusion.
How can people combat this tendency? The answer, generally speaking, is to use more automated mechanisms that reduce the need for subjective interpretation. In security terms, it also includes layering defenses to help build a better, automated picture of whats actually happening on the network.
So this 2011 security resolution might sound like back to basics, but it stands to demonstrably improve enterprise security: Never stop testing new defenses and finding better ways to layer up. Because staying ahead of attackers is going to take resolve.
SEE ALSO:
Schwartz On Security: Dont Get Hacked For the Holidays
Schwartz On Security: WikiLeaks Highlights Cost Of Security
Schwartz On Security: Chinas Internet Hijacking Misread
Schwartz On Security: Click Dislike For Facebook Safety
Schwartz On Security: Reaching The M&A Tipping Point
Schwartz On Security: Remove Dangerous Sites From Internet
Schwartz On Security: Zombie Internet Kill Switch
Schwartz On Security: Can Apple Minimalism Stop Botnets?

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Schwartz On Security: First, Know Youve Been Breached