How to Prepare for Your Next Security Breach
Most IT professionals, even with their higher degree of technical experience, don't really believe their IT environments are going to suffer a breach. They think hackers will never find them, that malware their users brush up against on sketchy websites won't get past their endpoint protection, and that they're safe from ransomware, too. After all, it's a numbers game, and everybody knows they'll probably skate by.
Well, everybody's wrong. According to a survey done by 451 Research in early 2018, 71 percent of its 1,200 enterprise security respondents reported some kind of breach in their recent history. That's seven in 10, and those are only the numbers of folks who actually realized they'd been breached. This means it's nearly certain that on any large network at least one device is hosting malware—dormant or live—of some kind. It could be anything from some evil little snippet sitting dormant until it hears from its command and control server, or it could be some piece of ransomware that's simply waiting until it's been backed up enough times that your recovery process becomes hopeless. Or worse, it could be some disgruntled employee who finally gets fired and decides to crack your system one last time so that he or she can send most of your most valuable data to the dark web. The possibilities are endless and, therefore, effectively inevitable.
Don't Ignore, Instead Prepare
If you think that's wrong, then consider the US Geological Survey (USGS), Earth Resources Observation and Science (EROS) Center satellite imaging facility in Sioux Falls, South Dakota. The facility's systems crashed, and during recovery, discovered over 9,000 pages of porn along with some malware, all loaded on their on-premises servers because of the actions of one of their employees. They never knew it was there until recovery became necessary. Sometimes it seems that one of the assumptions from senior security researchers is actually true: the bad guys really are already in your network, just biding their time.
So, instead of pretending it will never happen to you, simply be realistic. Assume a breach will happen and go from there. For one thing, make sure that whatever happens, it will impact your users and the organization as a whole as little as possible. As a starting consideration, this means protecting your data in such as way that it isn't automatically compromised just because your network is.
There are several other steps you can take to protect against such a breach. These steps include making your data inaccessible, making your data unusable even if the bad guys find it, and making your network recoverable so that you can restart operations once you're past the breach. While you're doing this, you also need to prepare in advance for all of the other requirements that accompany a data breach.
7 Tips for Hack Preparedness
To help you prepare, I've compiled seven tips from my long history of dealing with impending IT breaches and other disasters. Here are the steps below:
1. Encrypt all data. Even if you're not legally required to use encryption, do it anyway. Because taking this extra step means you'll have dramatically less pain when a breach happens because you can still satisfy requirements for data protection. And you can do that because you won't have to worry about data loss liability. Plus, depending on your market segment, you might also avoid massive fines or even prison time—always a sound policy.
2. Distribute your data. Not putting all of your eggs into the single proverbial basket applies to data safety, too. Depending on the type of data you're protecting, this may mean operating a hybrid cloud environment, employing tiered storage by using a business-grade cloud storage service, or keeping data on different servers accessible from a virtualized environment. Remember that virtual machines (VMs) can also be vulnerable to attack if the attacker is reasonably sophisticated. VMs can be not only vulnerable but potentially so in ways that physical infrastructure isn't, and vice versa. What you don't want to do is assign drive letters to your data storage servers from your main server. This is not only a bad practice, but also an open invitation for even bad hackers to get your stuff.
3. Be careful about managing access. You've heard this from me before but it hasn't changed: Your whole network can't be open to everyone and your data can't be available to everyone. Whether it's by simply employing user passwords or (much better) using a viable identity management platform, you must limit access to any given network resource to just those people whose job function requires such access. This includes everyone from the CEO on down to the IT department. And if IT needs access to a protected area, then the access needs to be granted on an as-needed basis (preferably one based on job role). Access also needs to be logged: who and when is the minimum amount of data you want to collect here.
4. Segment your network. This is related to the last point because using your network management tools to close off internal firewalls or routers means they can be programmed to allow only certain authorized users to pass traffic; all others get blocked. In addition to controlling authorized user access, this also limits any unauthorized access to only a portion of the network, and along with that, only a portion of your organization's overall data portfolio. And if you've followed step one, then, even if the bad guys do access your data, it will be encrypted. If you skipped step one and left your bits unencrypted, or they've somehow gotten the encryption key, then at least with segmentation they don't have everything, just a piece.
5. Don't use the same encryption key for everything. This sounds obvious, but long experience tells me that too many IT pros still fall into this trap. You don't want a stolen or cracked key to provide access to all of your data. This is a lot like not using the same password, except it's for access to your systems because they will also need to be authenticated.
6. Yes, the old chestnut: back up everything. Business cloud backup services have made this easier than ever in the history of IT, so take advantage and go nuts. Back it all up, preferably to more than one location or even by using more than one backup service. One of the locations should be in the cloud and on servers, as far from your primary location as is feasible. This is so the data can be available for a disaster recovery (DR) scenario in addition to your typical backup situations. But even if the malware is on your system, your backup service should be able to find it and eliminate it. With that in mind, it's important that you only back up what actually matters, which is your data. Don't back up the contents of the hard disks on client machines because that's probably where the malware is. Instead, just restore those machines from standard images maintained by the IT department.
7. Finally, make a breach to-do list. This just means making sure you've taken care of the administrative tasks that typically come with a breach. Have a phone list that's not stored on a system somewhere that details who will need to be notified in the event of a breach, preferably in the order they need to be called. You should also add what you need to tell them during that call and what the deadline is for you to notify them. Have the contact information for your DR service there, too. Sit down with your legal team and your senior managers and go over this list to make sure nothing's been overlooked. And once you've decided that it's all there, confirm this by actually practicing your breach response.
After you've done all of this, not only will you rest easier, but you can also take credit for having a good breach response and for being one of the lucky few who never experiences a breach.
This article originally appeared on PCMag.com.